[00:00.000 --> 00:02.640]  Hello, DEF CON Red Team Village.
[00:02.640 --> 00:06.100]  I want to thank you today for taking the time to listen to this talk.
[00:06.100 --> 00:07.820]  I've really been looking forward to it,
[00:07.820 --> 00:11.380]  and I'm excited to be able to share this information with you today.
[00:11.380 --> 00:14.740]  My talk is titled Combining Notebooks, Datasets, and Cloud
[00:14.740 --> 00:17.160]  for the Ultimate Automation Factory.
[00:17.660 --> 00:19.260]  And all through this presentation,
[00:19.260 --> 00:21.820]  I really want to challenge you to think about
[00:21.820 --> 00:24.480]  pushing the boundaries of the art of the possible,
[00:24.480 --> 00:27.120]  trying to change how we do things in our day-to-day lives,
[00:27.120 --> 00:30.160]  the manual processes, how can we be more efficient?
[00:30.160 --> 00:33.080]  How can we operationalize and streamline these activities
[00:33.080 --> 00:36.000]  so that we can be more productive in our lives?
[00:36.000 --> 00:38.400]  And also, as a Red Teamer, as a Blue Teamer,
[00:38.400 --> 00:40.740]  as a security practitioner,
[00:40.740 --> 00:42.660]  how can we better ourselves and our careers
[00:42.660 --> 00:45.340]  and really elevate ourselves to the next step?
[00:45.740 --> 00:50.500]  I know it's definitely sad that we're not all together in person at DEF CON.
[00:50.500 --> 00:52.800]  I know I had everything booked, ready to go.
[00:52.800 --> 00:54.820]  I was excited, looking forward to it.
[00:54.820 --> 00:57.060]  But I will say, having this virtual offering
[00:57.060 --> 01:00.300]  is something that's really changed the dynamic of information security
[01:00.300 --> 01:03.260]  and the landscape and the hacking and all of this.
[01:03.260 --> 01:06.100]  It's actually really set a playing field
[01:06.100 --> 01:08.820]  where a lot of people that didn't have the means or methods
[01:08.820 --> 01:12.220]  to attend Vegas or make it to DEF CON or Black Hat,
[01:12.220 --> 01:17.080]  now it kind of sets the bar where having it online, virtual, free,
[01:17.080 --> 01:19.960]  having direct access through Discord, through Slack,
[01:19.960 --> 01:21.860]  through different channels and mechanisms,
[01:21.860 --> 01:25.180]  to the industry experts, the people that I've looked up to for years
[01:25.180 --> 01:28.960]  who I've learned from, being able to share the stage with them alongside,
[01:28.960 --> 01:31.260]  it's a pretty awesome time.
[01:31.260 --> 01:33.900]  The other cool thing is, now I can sit in Discord,
[01:33.900 --> 01:36.860]  I can be ready for questions and answers as we're doing this talk.
[01:36.860 --> 01:39.040]  So feel free, interactively, to do this.
[01:44.480 --> 01:47.440]  We won't spend a lot of time in the About Me section,
[01:47.440 --> 01:50.560]  but by day, I'm a security architect,
[01:50.560 --> 01:52.740]  and my main focus is cloud security.
[01:52.740 --> 01:55.400]  So I get to see a lot of use cases around the new,
[01:55.400 --> 01:57.860]  latest, greatest emerging technologies in cloud.
[01:57.860 --> 01:59.800]  How are they being leveraged to help businesses
[01:59.800 --> 02:02.220]  and help drive innovation and success
[02:02.220 --> 02:06.680]  and actually decrease operating costs and accelerate delivery.
[02:06.680 --> 02:08.660]  So I'm taking a lot of those examples,
[02:08.660 --> 02:10.920]  and then I'm combining it with kind of my night job,
[02:10.920 --> 02:12.200]  which is security research.
[02:12.200 --> 02:15.980]  I mean, security is my, it's my job, but it's also my hobby.
[02:15.980 --> 02:18.940]  It's what I love to do anytime that I have spare time
[02:18.940 --> 02:21.060]  that's not either working or with family,
[02:21.060 --> 02:24.340]  I'm probably doing security research in some way, shape or form.
[02:24.340 --> 02:26.520]  So feel free to check out these projects.
[02:26.520 --> 02:28.120]  I have a blog on Medium.
[02:28.440 --> 02:32.060]  Any code, any examples, any demos, the slides,
[02:32.060 --> 02:35.660]  everything from this presentation will be available in GitHub.
[02:35.660 --> 02:37.160]  So you can start checking that out.
[02:37.160 --> 02:39.240]  If you want to follow along with anything,
[02:39.680 --> 02:41.600]  a lot of the content, the resources, the notebooks
[02:41.600 --> 02:43.220]  that we go through will be available there.
[02:43.220 --> 02:45.340]  So I encourage you pull it up while I'm talking,
[02:45.340 --> 02:46.460]  do that, check things out,
[02:46.460 --> 02:48.720]  and feel free to ask questions as we go along.
[02:48.720 --> 02:51.240]  But thanks again, and let's jump right in.
[02:55.800 --> 02:57.960]  So what are we actually going to cover?
[02:57.960 --> 03:02.440]  For the agenda today, there's really a couple of things,
[03:02.440 --> 03:04.780]  but I really want to focus on inputs and outputs.
[03:04.780 --> 03:05.780]  I think it's a mindset.
[03:05.780 --> 03:08.780]  We always talk about the hacking mindset, the security mindset.
[03:08.960 --> 03:11.320]  Well, in this case of this talk and the scope,
[03:11.320 --> 03:13.000]  I want you to think about inputs.
[03:13.000 --> 03:14.140]  What are the objectives?
[03:14.140 --> 03:15.140]  What are the goals?
[03:15.140 --> 03:16.760]  What do you put in?
[03:16.820 --> 03:18.100]  And then what are those outputs?
[03:18.100 --> 03:19.980]  How can we normalize these outputs so that way
[03:19.980 --> 03:21.060]  you don't have to try to remember
[03:21.060 --> 03:23.400]  how do you do 500 different scripts?
[03:23.400 --> 03:25.140]  How do you make these tools work?
[03:25.140 --> 03:28.340]  How do I manually parse through all these outputs and data?
[03:28.360 --> 03:31.840]  So throughout this, we're going to show kind of modular,
[03:31.840 --> 03:35.020]  repeatable technology, agnostic designs.
[03:35.260 --> 03:38.820]  And then how do you apply this from a cloud-focused technology?
[03:38.820 --> 03:42.420]  And we're going to spend our time in the AWS ecosystem.
[03:42.420 --> 03:46.140]  However, you really could translate this to any of the major cloud providers.
[03:46.240 --> 03:48.360]  And then also, we're going to provide some solutions.
[03:48.360 --> 03:52.380]  So how do you tie this all together so that way you can become more efficient?
[03:52.380 --> 03:54.600]  And I'm hoping that if you watch this talk,
[03:54.600 --> 03:57.120]  you apply these concepts, your key takeaways are
[03:57.120 --> 03:59.160]  I want you to make yourself better.
[03:59.160 --> 04:01.160]  I want to make the people around you better.
[04:01.160 --> 04:03.260]  And I'm hoping that overall, we can all work together
[04:03.260 --> 04:04.740]  and make the industry better.
[04:08.000 --> 04:10.480]  So this is the story of my life.
[04:10.480 --> 04:12.900]  Thank you, Jason, for sharing these tweets
[04:12.900 --> 04:14.620]  because the timing was perfect.
[04:14.620 --> 04:16.520]  And I started thinking in terms of,
[04:16.520 --> 04:17.880]  and this is in the scope of Bug Bounty,
[04:17.880 --> 04:20.380]  if you've ever worked on Bug Bounty,
[04:20.380 --> 04:21.720]  you see these different tweets of
[04:21.720 --> 04:23.880]  I just made $5,000.
[04:23.880 --> 04:25.580]  Or I made a $15,000 bug.
[04:25.580 --> 04:27.100]  Or I just made $400.
[04:27.980 --> 04:29.980]  It's kind of, that's how I always feel,
[04:29.980 --> 04:32.000]  is wow, let's just spend a couple hours,
[04:32.000 --> 04:33.460]  let's make a couple thousand bucks.
[04:33.460 --> 04:34.620]  But that's not the case.
[04:34.620 --> 04:38.280]  And I'm probably, I don't know if this resonates with any of you,
[04:38.280 --> 04:40.860]  but I'm the person that if you were to ever see me tweet
[04:40.860 --> 04:43.040]  I just made $2,000 on a Bug Bounty,
[04:43.040 --> 04:44.980]  that's because I just probably put in
[04:45.340 --> 04:46.900]  a hundred hours trying to research
[04:46.900 --> 04:49.320]  through reconnaissance, through tooling,
[04:49.320 --> 04:51.640]  through tests and failures and inputs
[04:51.640 --> 04:53.720]  and report writing just to make that.
[04:53.720 --> 04:54.700]  And that's what goes on, I think,
[04:54.700 --> 04:56.640]  often behind the scenes that we overlook.
[04:57.040 --> 04:59.080]  And one of the things is, too,
[04:59.080 --> 05:02.000]  is our most valuable commodity is time.
[05:02.040 --> 05:04.440]  My biggest challenge is finding the time
[05:04.440 --> 05:06.440]  to be able to do this, to really get in the weeds,
[05:06.440 --> 05:09.360]  to dig in and try to find these red team objectives
[05:09.360 --> 05:11.780]  to relearn, I'm always relearning things
[05:11.780 --> 05:13.680]  or figuring out or looking up or Googling
[05:13.680 --> 05:18.480]  or all the places where I'm trying to relearn
[05:18.480 --> 05:20.420]  all the things I've learned historically.
[05:20.580 --> 05:21.700]  How can we make it faster?
[05:21.700 --> 05:23.360]  How can we be more efficient?
[05:23.400 --> 05:25.240]  So when I have these two or three hours
[05:25.240 --> 05:28.160]  in an evening to spend, I can be focused.
[05:28.160 --> 05:29.320]  I can look at my targets.
[05:29.320 --> 05:31.100]  I know exactly what I want to do.
[05:31.100 --> 05:32.200]  I don't have to spend hours
[05:32.200 --> 05:34.260]  doing the reconnaissance research
[05:34.260 --> 05:35.720]  trying to just make selections
[05:35.720 --> 05:36.840]  on what my targets are
[05:36.840 --> 05:38.680]  because that takes up all my time.
[05:38.680 --> 05:40.800]  And then the time to value is really zero
[05:40.800 --> 05:41.560]  and net none.
[05:41.580 --> 05:43.660]  I'm going to focus on how do I be productive?
[05:43.660 --> 05:44.860]  How do I make money?
[05:44.860 --> 05:46.140]  And how do I find issues?
[05:46.140 --> 05:48.940]  And further, what I'm attempting to do.
[05:48.940 --> 05:51.900]  So that's what really drew me into
[05:51.900 --> 05:54.060]  how do I build this automated ecosystem
[05:54.060 --> 05:56.600]  and take an advantage of the new technologies
[05:56.600 --> 05:57.920]  and new capabilities out there
[05:57.920 --> 06:00.600]  so that I can be the best that I possibly can.
[06:04.120 --> 06:06.280]  So now let's jump into the architecture
[06:06.280 --> 06:07.880]  of the underlying design
[06:07.880 --> 06:09.740]  of the entire automated ecosystem
[06:09.740 --> 06:11.500]  that we're going to build and talk about
[06:11.500 --> 06:13.180]  through the remainder of this presentation.
[06:13.200 --> 06:14.820]  We'll have a bunch of demos
[06:14.820 --> 06:17.260]  and code snippets and things
[06:17.260 --> 06:18.960]  that we're going to kind of deep dive in
[06:18.960 --> 06:21.360]  and hoping that you can leverage these as accelerators
[06:21.780 --> 06:24.500]  so they can be agnostic to a specific tool,
[06:24.580 --> 06:25.600]  a specific process.
[06:25.600 --> 06:26.800]  But as you look at different things
[06:26.800 --> 06:27.940]  that you do and experience
[06:27.940 --> 06:29.580]  from a Red Team perspective
[06:29.580 --> 06:31.580]  or even just from a general
[06:31.580 --> 06:33.320]  information security process
[06:33.320 --> 06:35.800]  or practice that you do in your daily jobs,
[06:35.800 --> 06:39.020]  these are all components that can apply
[06:39.020 --> 06:40.460]  in a lot of different ways,
[06:40.460 --> 06:41.780]  which I think is really exciting.
[06:41.780 --> 06:44.120]  And that's a big part of why I feel like
[06:44.120 --> 06:45.700]  rather than just trying to deliver
[06:45.700 --> 06:47.640]  this custom tool that is just a script
[06:47.640 --> 06:48.680]  or something that you run
[06:48.680 --> 06:50.160]  and you routinely run it
[06:50.160 --> 06:51.900]  and it does the same thing every time,
[06:51.900 --> 06:53.580]  what I want to kind of teach
[06:53.580 --> 06:54.980]  is that thinking in terms of
[06:54.980 --> 06:57.120]  how do you build that underlying infrastructure
[06:57.120 --> 06:58.400]  that can support anything
[06:58.400 --> 06:59.980]  that can be thrown at you?
[06:59.980 --> 07:01.340]  How can you better yourself
[07:01.340 --> 07:02.560]  and understand rather than
[07:02.560 --> 07:04.320]  you kind of move up from
[07:04.320 --> 07:06.000]  knowing just how to run a tool
[07:06.000 --> 07:07.180]  to actually understanding
[07:07.180 --> 07:08.860]  what's going on behind the scenes,
[07:08.860 --> 07:10.060]  how do I piece this together
[07:10.060 --> 07:11.880]  and how do I make it my own?
[07:11.880 --> 07:12.940]  So I have this system
[07:12.940 --> 07:15.080]  that can be potentially better than others
[07:15.080 --> 07:17.460]  or bring you to the best in the industry
[07:17.460 --> 07:18.920]  or just solve challenges
[07:18.920 --> 07:21.020]  that you have on a day-to-day basis.
[07:21.240 --> 07:23.240]  So as we look at this architecture,
[07:23.240 --> 07:25.760]  it's really broken down into three key pieces.
[07:25.760 --> 07:29.020]  And on the left side is the user interaction.
[07:29.140 --> 07:30.220]  So these are the components
[07:30.720 --> 07:31.740]  of the cloud services
[07:31.740 --> 07:33.800]  that you're going to generally interact with,
[07:33.800 --> 07:34.780]  whether it's an input,
[07:34.780 --> 07:35.840]  whether it's an output.
[07:36.060 --> 07:37.700]  But in the design that I have
[07:37.700 --> 07:38.820]  that we're going to walk through,
[07:38.820 --> 07:40.480]  it's going to leverage these four pieces.
[07:40.480 --> 07:42.880]  And we're going to, as we go further,
[07:42.880 --> 07:44.140]  I'm going to give you a quick overview
[07:44.140 --> 07:45.320]  of every one of these components
[07:45.320 --> 07:46.820]  just to explain what it does,
[07:46.820 --> 07:48.000]  where it's used for.
[07:48.040 --> 07:49.040]  And in the back of your mind,
[07:49.040 --> 07:50.040]  continue to think,
[07:50.040 --> 07:52.580]  how can I reuse this for X function
[07:52.580 --> 07:53.680]  or what I'm trying to do
[07:53.680 --> 07:54.700]  or my daily job?
[07:54.700 --> 07:57.140]  And how can I convert my manual efforts
[07:57.140 --> 07:58.620]  that I do on a day-to-day basis?
[07:58.620 --> 07:59.840]  How can I save time,
[07:59.840 --> 08:00.920]  be more efficient,
[08:00.920 --> 08:01.900]  and automate this
[08:01.900 --> 08:04.040]  so that way I can make my life better?
[08:04.960 --> 08:06.640]  Basically, you can automate yourself
[08:06.640 --> 08:08.880]  and then you can focus more
[08:08.880 --> 08:11.120]  on the latest, greatest technology emerging.
[08:11.120 --> 08:13.060]  Push your program forward,
[08:13.060 --> 08:14.640]  mature in everything you're doing,
[08:14.640 --> 08:16.860]  and just continue to build and build on top
[08:16.860 --> 08:17.960]  so we're not relearning,
[08:17.960 --> 08:19.460]  we're not doing the same manual tasks
[08:19.460 --> 08:20.560]  over and over.
[08:20.580 --> 08:22.680]  And this ecosystem will really elevate that
[08:22.680 --> 08:23.720]  so that way you can do
[08:23.720 --> 08:24.360]  and you can build
[08:24.360 --> 08:25.180]  and it's modular
[08:25.180 --> 08:28.060]  and it's really an ecosystem
[08:28.060 --> 08:30.680]  of a lot of microservices in doing that.
[08:30.800 --> 08:33.320]  The middle layer is your processing and computation.
[08:33.320 --> 08:34.700]  So you have your user interaction
[08:34.700 --> 08:36.240]  that will pass everything over
[08:36.240 --> 08:37.960]  to your processing and computation.
[08:37.960 --> 08:40.280]  And this is a pretty big arsenal
[08:40.280 --> 08:41.440]  of different tools.
[08:41.440 --> 08:44.860]  You have, whether it's big data type,
[08:44.860 --> 08:47.140]  query analytics services,
[08:47.140 --> 08:48.540]  it could be eventually,
[08:48.540 --> 08:49.980]  we're not going to show any of these today,
[08:49.980 --> 08:51.460]  but if you get into machine learning
[08:52.440 --> 08:53.880]  or image recognition
[08:53.880 --> 08:56.760]  and thinking in terms of future opportunities
[08:56.760 --> 08:58.780]  of like you have screenshots of webpages,
[08:58.780 --> 08:59.460]  maybe you want to process
[08:59.680 --> 09:01.660]  a bunch of images of those really quickly,
[09:01.660 --> 09:02.700]  this would be your processing
[09:02.700 --> 09:04.360]  and computation layer.
[09:04.460 --> 09:05.880]  And then the last layer,
[09:05.880 --> 09:07.000]  I think is pretty key
[09:07.000 --> 09:07.860]  and it's really important
[09:07.860 --> 09:10.160]  to get this in the mindset
[09:10.160 --> 09:12.780]  as you kind of consider future opportunities,
[09:12.780 --> 09:14.460]  is that data storage layer.
[09:14.540 --> 09:15.480]  You look at today,
[09:15.600 --> 09:17.720]  a lot of the processes you may have,
[09:17.720 --> 09:19.140]  like if you're doing reconnaissance,
[09:19.140 --> 09:21.660]  you might run five or six different tools.
[09:21.660 --> 09:22.760]  In those inputs,
[09:22.760 --> 09:23.760]  you're going to submit,
[09:23.760 --> 09:24.780]  maybe it's a domain,
[09:24.780 --> 09:26.080]  maybe it's an ASN,
[09:26.080 --> 09:28.380]  maybe it could be a CIDR range.
[09:28.380 --> 09:29.780]  It could be various things.
[09:29.780 --> 09:30.700]  You input that.
[09:30.700 --> 09:31.820]  Generally, the outputs
[09:31.820 --> 09:33.640]  of your various tools and scripts,
[09:33.640 --> 09:35.400]  they're going to be slightly different.
[09:35.400 --> 09:37.300]  And that's where that source data bucket
[09:37.300 --> 09:38.320]  comes into play.
[09:38.320 --> 09:40.300]  So I expect, anticipate,
[09:40.300 --> 09:42.600]  let's pull in 100 tools eventually together.
[09:42.600 --> 09:43.880]  Let's all put that data,
[09:43.880 --> 09:45.680]  source data into that source data bucket
[09:45.680 --> 09:48.000]  that's just various formats and everything.
[09:48.300 --> 09:49.260]  And then what we want to do
[09:49.260 --> 09:50.380]  is we want to think in terms of
[09:50.380 --> 09:51.580]  how do we normalize this?
[09:51.580 --> 09:53.420]  What's the actual objective of this?
[09:53.420 --> 09:55.060]  Because in a lot of cases,
[09:55.060 --> 09:56.260]  I mean, and we're going to look from
[09:56.260 --> 09:58.900]  kind of a red team bug bounty perspective,
[09:58.900 --> 09:59.820]  but think broader
[09:59.820 --> 10:01.760]  as you think about your actual job,
[10:01.760 --> 10:03.540]  whether you're doing risk management,
[10:03.540 --> 10:05.720]  whether you're doing third party analysis,
[10:05.720 --> 10:08.020]  whether you are a security engineer,
[10:08.020 --> 10:08.640]  whether you're an architect,
[10:08.640 --> 10:09.820]  any role in this,
[10:09.820 --> 10:11.660]  think about how this can apply.
[10:11.680 --> 10:13.240]  But we look at our inputs and outputs.
[10:13.240 --> 10:14.260]  So a lot of our tools,
[10:14.260 --> 10:15.580]  they're either going to output things
[10:15.580 --> 10:16.940]  such as URLs.
[10:16.940 --> 10:19.560]  It might be parameters
[10:19.560 --> 10:21.420]  for a different web page.
[10:21.420 --> 10:23.680]  You could have the ASN numbers
[10:23.680 --> 10:24.620]  for network ranges.
[10:24.620 --> 10:25.740]  You could have CIDR ranges.
[10:25.740 --> 10:27.080]  You could have domain names.
[10:27.080 --> 10:28.140]  You could have subdomains.
[10:28.140 --> 10:29.580]  You could have company names.
[10:29.580 --> 10:32.220]  You could have certificate assignments,
[10:32.220 --> 10:34.000]  different inputs and outputs.
[10:34.000 --> 10:35.480]  So those are all of your various outputs
[10:35.480 --> 10:36.840]  that you're generally going to have
[10:36.840 --> 10:38.040]  across your tools.
[10:38.340 --> 10:40.540]  We need to make these common between that
[10:40.540 --> 10:42.040]  so we can further process this
[10:42.040 --> 10:43.160]  and make this data useful
[10:43.160 --> 10:45.080]  because I know one of the areas
[10:45.080 --> 10:46.440]  that I struggle with the most
[10:46.440 --> 10:48.420]  is parsing through this data of every tool
[10:48.420 --> 10:50.180]  and it just takes so much time.
[10:50.220 --> 10:51.780]  And that's something that we could,
[10:51.780 --> 10:53.340]  if you do it one time for a tool
[10:53.340 --> 10:54.520]  where you normalize the data,
[10:54.520 --> 10:55.980]  you never have to do it again.
[10:56.100 --> 10:58.760]  And the cooler part about this is
[10:58.760 --> 11:00.740]  we only need one person in the industry
[11:00.740 --> 11:01.860]  to do it for per tool
[11:01.860 --> 11:03.320]  or start to kind of standardize
[11:03.320 --> 11:04.380]  and build in.
[11:04.480 --> 11:06.360]  And that's where on my GitHub
[11:06.360 --> 11:08.720]  you'll see Project Straylight.
[11:08.900 --> 11:09.760]  And my goal is really
[11:09.760 --> 11:12.660]  to just have this running open network
[11:12.660 --> 11:14.980]  of here's accelerators we can do,
[11:14.980 --> 11:15.780]  here's code snippets
[11:15.780 --> 11:17.040]  that have helped me along the way.
[11:17.040 --> 11:19.200]  And it's maybe not so much a technology
[11:19.200 --> 11:20.660]  or tool that you install,
[11:20.660 --> 11:22.340]  but it's just a bunch of ideas
[11:22.340 --> 11:24.040]  and things that have helped me in my career
[11:24.040 --> 11:26.260]  that over the past 10 to 12 years
[11:26.260 --> 11:28.700]  that I've either had to relearn or do,
[11:28.700 --> 11:29.980]  I'm trying to aggregate it all
[11:29.980 --> 11:31.220]  into this ecosystem,
[11:31.220 --> 11:32.500]  this architecture that we see
[11:32.500 --> 11:35.060]  of how can I do what I've spent
[11:35.060 --> 11:38.120]  so many hours doing redundantly, manually,
[11:38.120 --> 11:39.100]  and how can I make it better
[11:39.100 --> 11:41.280]  so that way the newer generation,
[11:41.280 --> 11:42.620]  the next people that are going
[11:42.620 --> 11:43.920]  to be experts, leaders in this,
[11:43.920 --> 11:44.940]  can just build on top
[11:44.940 --> 11:45.720]  of what we already have
[11:45.720 --> 11:47.260]  so we're not continuing to rebuild
[11:47.260 --> 11:49.140]  and we can advance further and further
[11:49.140 --> 11:51.340]  and we can win in this industry.
[11:51.340 --> 11:53.680]  So that's a lot of the intent there.
[11:53.680 --> 11:55.440]  So as we look at the data storage layers,
[11:55.440 --> 11:57.120]  you basically go from your raw data,
[11:57.120 --> 11:59.100]  which could be the output of any tool,
[11:59.100 --> 12:01.240]  you get to more of a normalized version.
[12:01.580 --> 12:03.140]  And then you also get
[12:03.140 --> 12:05.300]  into your presentation layer.
[12:05.300 --> 12:07.040]  And that's when it's your reporting,
[12:07.040 --> 12:08.680]  it's your analysis, it's your metrics,
[12:08.680 --> 12:10.100]  it's the outputs that you want to show
[12:10.100 --> 12:11.780]  for the delivery of your work.
[12:11.780 --> 12:13.180]  And this could speak to any level
[12:13.180 --> 12:14.520]  depending on how you present it.
[12:14.520 --> 12:16.360]  So you could do an aggregate of
[12:16.360 --> 12:18.360]  here's all the attacks that we've had
[12:18.360 --> 12:19.840]  over the course of X days,
[12:19.840 --> 12:21.940]  summarized into charts, graphs,
[12:21.940 --> 12:23.900]  and that might be at more of a CISO level.
[12:23.900 --> 12:26.240]  You could have indicators of compromise
[12:26.240 --> 12:27.460]  or different signatures,
[12:27.460 --> 12:28.020]  different levels,
[12:28.020 --> 12:30.620]  which you would feed into an engineering team.
[12:30.620 --> 12:32.340]  That could be part of your presentation.
[12:32.340 --> 12:33.440]  But it's how do you normalize
[12:33.920 --> 12:34.880]  and how do you show this
[12:34.880 --> 12:36.860]  in kind of a formatted way
[12:36.860 --> 12:38.040]  so that way if you have to do
[12:38.040 --> 12:40.520]  monthly vulnerability reports or metrics
[12:40.520 --> 12:42.860]  or showing analysis of how you've
[12:42.860 --> 12:44.700]  further progressed or analyzed websites
[12:44.700 --> 12:46.540]  or targets and you want to compare
[12:46.540 --> 12:48.200]  what you've done, what you haven't done,
[12:48.200 --> 12:50.340]  that's where that presentation layer comes in.
[12:50.440 --> 12:51.240]  So we're going to jump in
[12:51.240 --> 12:52.440]  and I think we're going to do,
[12:52.440 --> 12:53.420]  let's do a demo.
[12:53.420 --> 12:54.500]  And let's kind of show,
[12:54.500 --> 12:55.520]  I'll show from end to end
[12:55.520 --> 12:56.400]  kind of one area
[12:56.880 --> 12:58.020]  where we can go across this
[12:58.020 --> 12:59.480]  of how this ecosystem works.
[12:59.480 --> 13:00.740]  And then after that,
[13:00.740 --> 13:02.280]  we'll dive in further.
[13:02.280 --> 13:03.600]  I'm going to show you the accelerators,
[13:03.600 --> 13:05.040]  the pieces, the components.
[13:05.060 --> 13:06.460]  Keep in mind that all of this
[13:06.460 --> 13:07.860]  is also available in GitHub.
[13:07.860 --> 13:09.300]  You can access it as we go along.
[13:09.300 --> 13:10.040]  You can check it out.
[13:10.040 --> 13:11.200]  Feel free to use it.
[13:13.180 --> 13:14.400]  Create issues in the GitHub
[13:14.400 --> 13:16.140]  if you find any things.
[13:16.140 --> 13:17.360]  Reach out to me with questions.
[13:17.360 --> 13:18.500]  But I really just want to continue
[13:18.500 --> 13:20.020]  to build and teach you
[13:20.020 --> 13:21.060]  how you can kind of think
[13:21.060 --> 13:21.860]  in terms of building
[13:21.860 --> 13:23.840]  your own automated ecosystem.
[13:25.480 --> 13:26.920]  As you're watching this too,
[13:26.920 --> 13:28.740]  you're probably thinking,
[13:28.740 --> 13:29.640]  why cloud?
[13:29.640 --> 13:31.260]  I have a really nice home lab.
[13:31.260 --> 13:32.620]  Do I really need it?
[13:32.620 --> 13:34.040]  There's three key areas
[13:34.040 --> 13:35.280]  beyond just the amount
[13:35.280 --> 13:36.620]  of what we just walked through
[13:36.620 --> 13:37.300]  in that architecture
[13:37.300 --> 13:39.020]  that you have available to you.
[13:39.020 --> 13:40.780]  But it's pretty exciting
[13:40.780 --> 13:41.740]  when you think about
[13:41.740 --> 13:43.760]  what cloud can mean to you.
[13:43.760 --> 13:45.040]  And if you hear...
[13:45.040 --> 13:46.840]  I mean, the businesses, industries,
[13:46.840 --> 13:48.220]  everybody is adopting it.
[13:48.660 --> 13:49.760]  That's nothing new.
[13:49.760 --> 13:51.160]  It's not anything new there.
[13:51.160 --> 13:52.920]  But I think there's three key parts
[13:52.920 --> 13:54.720]  of cloud that are really exciting
[13:54.720 --> 13:56.560]  as just an individual researcher
[13:56.560 --> 13:57.520]  where you don't need
[13:57.520 --> 13:58.260]  millions of dollars
[13:58.260 --> 13:59.280]  or tens of thousands of dollars
[13:59.280 --> 14:00.360]  of funding behind you
[14:00.360 --> 14:01.980]  to actually make progress.
[14:02.040 --> 14:03.280]  The first part is
[14:03.280 --> 14:04.920]  the democratized accessibility
[14:04.920 --> 14:06.200]  of datasets.
[14:06.420 --> 14:07.880]  There's some pretty massive
[14:07.880 --> 14:10.240]  and interesting datasets out there.
[14:10.240 --> 14:11.300]  The problem is that
[14:11.300 --> 14:12.420]  on our home labs,
[14:12.420 --> 14:13.300]  our home computers,
[14:13.300 --> 14:14.420]  our home servers,
[14:14.560 --> 14:15.420]  a lot of those don't have
[14:15.420 --> 14:16.620]  either the horsepower
[14:16.620 --> 14:18.920]  to accomplish what we need.
[14:18.920 --> 14:19.860]  We need more memory,
[14:19.860 --> 14:20.540]  more CPU,
[14:20.540 --> 14:21.760]  or it's not close enough
[14:21.760 --> 14:22.220]  to the data
[14:22.220 --> 14:23.440]  where we can't download
[14:23.440 --> 14:24.340]  petabytes of data
[14:24.340 --> 14:25.260]  or terabytes of data
[14:25.260 --> 14:26.340]  in a meaningful way
[14:26.340 --> 14:27.480]  to keep up
[14:27.480 --> 14:29.280]  and be able to analyze and do.
[14:29.280 --> 14:29.900]  And that's where
[14:29.900 --> 14:31.240]  you kind of run into issues
[14:31.240 --> 14:32.520]  of data gravity.
[14:32.520 --> 14:33.260]  And you need to build
[14:33.260 --> 14:34.180]  your compute actually
[14:34.180 --> 14:35.560]  closer to the data stores,
[14:35.560 --> 14:36.720]  the data repositories,
[14:36.720 --> 14:38.040]  because it's costly.
[14:38.040 --> 14:39.700]  It's expensive to move those.
[14:39.700 --> 14:41.320]  So how can we proceed
[14:41.320 --> 14:42.380]  with that?
[14:44.120 --> 14:45.640]  The other piece is that
[14:45.640 --> 14:47.340]  if you look across the world,
[14:47.340 --> 14:48.680]  we're facing right now,
[14:48.680 --> 14:49.880]  we're all in quarantine,
[14:49.880 --> 14:52.520]  we're social distancing.
[14:52.540 --> 14:52.900]  You have...
[14:53.520 --> 14:54.520]  So take a look
[14:54.520 --> 14:55.260]  at what's going on
[14:55.260 --> 14:55.940]  around the race
[14:55.940 --> 14:57.220]  to find vaccines
[14:57.220 --> 14:58.540]  and solutions to COVID
[14:58.540 --> 15:00.120]  and kind of the data
[15:00.120 --> 15:01.720]  around that in the pieces.
[15:01.820 --> 15:03.580]  The world is coming around cloud
[15:03.580 --> 15:04.840]  and the latest, greatest
[15:04.840 --> 15:05.770]  computational technologies
[15:06.180 --> 15:07.020]  to solve the world's
[15:07.020 --> 15:07.900]  biggest problems
[15:07.900 --> 15:10.100]  that impact everybody globally.
[15:10.160 --> 15:12.320]  So what if we can take
[15:12.320 --> 15:13.020]  those pieces
[15:13.020 --> 15:14.620]  that the top scientists
[15:14.620 --> 15:15.280]  in the world,
[15:15.280 --> 15:16.220]  the top in their industries
[15:16.220 --> 15:17.240]  are taking to solve
[15:17.240 --> 15:19.480]  the world's most challenging problems?
[15:19.520 --> 15:20.620]  I'm sure we can apply that
[15:20.620 --> 15:22.680]  to our daily bug bounty targets
[15:22.680 --> 15:24.580]  or our daily security processes
[15:24.580 --> 15:26.020]  that we need to improve.
[15:26.020 --> 15:26.940]  But in the same way,
[15:26.940 --> 15:27.720]  we don't have to spend
[15:27.720 --> 15:28.920]  tens of thousands of dollars
[15:28.920 --> 15:29.540]  for this.
[15:29.540 --> 15:31.080]  The other neat thing about it
[15:31.080 --> 15:33.080]  is it's financially viable.
[15:33.180 --> 15:35.180]  We can now stand up servers
[15:35.180 --> 15:37.360]  that have 128 gigabytes
[15:38.140 --> 15:39.100]  of memory.
[15:39.100 --> 15:42.100]  You can do unlimited storage.
[15:42.100 --> 15:43.120]  And the nice thing is
[15:43.120 --> 15:43.900]  you don't have to pay
[15:43.900 --> 15:44.700]  thousands of dollars
[15:44.700 --> 15:46.500]  to buy this from a capital standpoint.
[15:46.500 --> 15:48.240]  It's all operating expense.
[15:48.240 --> 15:49.560]  So as you look at it,
[15:49.560 --> 15:50.720]  if you need to run something
[15:50.720 --> 15:52.160]  that's extremely memory intensive
[15:52.160 --> 15:53.640]  and it's just one operation
[15:53.640 --> 15:54.560]  or a loop,
[15:54.560 --> 15:55.700]  you literally could stand up
[15:55.860 --> 15:56.760]  a massive server
[15:56.760 --> 15:58.360]  for just a couple minutes.
[15:58.360 --> 16:00.320]  It might cost you $10, $20
[16:00.320 --> 16:02.280]  for maybe five or ten minutes
[16:02.280 --> 16:03.380]  of processing.
[16:03.620 --> 16:04.480]  But rather than needing
[16:04.480 --> 16:05.900]  to invest $80,000
[16:05.900 --> 16:07.960]  in similar hardware equipment,
[16:07.960 --> 16:08.900]  you now can do this
[16:08.900 --> 16:10.760]  in your home office,
[16:10.760 --> 16:11.540]  in your home lab
[16:11.540 --> 16:13.940]  through the cloud capabilities
[16:13.940 --> 16:14.640]  charging.
[16:14.640 --> 16:15.520]  And that $20,
[16:15.520 --> 16:16.240]  if you think about it
[16:16.240 --> 16:18.320]  in terms of bug bounty investment,
[16:18.320 --> 16:20.120]  that's one P4.
[16:20.120 --> 16:22.380]  And you have that well covered.
[16:22.380 --> 16:23.540]  I mean, that's on the low end
[16:23.540 --> 16:24.820]  thinking in terms of that.
[16:24.820 --> 16:25.740]  But just looking at it
[16:25.740 --> 16:26.940]  from a business perspective,
[16:26.940 --> 16:27.680]  thinking in terms of
[16:27.680 --> 16:30.360]  how can I continue to invest
[16:30.360 --> 16:31.680]  in my capabilities,
[16:31.680 --> 16:32.440]  the technologies,
[16:32.440 --> 16:33.240]  the processes,
[16:33.240 --> 16:34.660]  so I can gain more time
[16:34.660 --> 16:35.820]  and I can make the time
[16:35.820 --> 16:37.640]  that I spend actually manually
[16:37.640 --> 16:38.460]  doing things,
[16:38.460 --> 16:39.760]  evaluating parts,
[16:39.760 --> 16:40.420]  how can I make it
[16:40.420 --> 16:42.160]  the most beneficial to myself.
[16:47.700 --> 16:48.800]  So now let's take a look
[16:48.800 --> 16:50.520]  at the various tooling
[16:50.520 --> 16:51.740]  that we can use.
[16:51.740 --> 16:52.160]  We've looked at
[16:52.160 --> 16:53.380]  the architecture diagram.
[16:53.380 --> 16:54.020]  I'd like to just give
[16:54.160 --> 16:54.800]  a quick overview
[16:54.800 --> 16:55.900]  of the different components,
[16:55.900 --> 16:56.900]  especially if you're not familiar
[16:56.900 --> 16:58.200]  with the AWS services
[16:58.200 --> 16:59.200]  that are listed on here,
[16:59.200 --> 17:00.160]  kind of what they do,
[17:00.160 --> 17:01.040]  why they're important
[17:01.040 --> 17:02.780]  and how they can apply to you.
[17:02.860 --> 17:04.520]  So if we go through the list,
[17:04.520 --> 17:07.500]  you saw from the user interaction space
[17:07.500 --> 17:09.360]  the Amazon API Gateway.
[17:09.480 --> 17:10.100]  So what this does
[17:10.100 --> 17:11.460]  is this is just an entry point
[17:11.460 --> 17:12.900]  into your ecosystem.
[17:12.900 --> 17:14.120]  And the neat thing
[17:14.120 --> 17:15.540]  about Amazon API Gateway
[17:15.540 --> 17:17.200]  is there's a lot of things
[17:17.820 --> 17:18.560]  you can do with it,
[17:18.560 --> 17:20.000]  but where I've really leveraged it
[17:20.000 --> 17:21.640]  is as a proxy
[17:21.640 --> 17:23.200]  into your Lambda function.
[17:23.200 --> 17:23.840]  So what you can do
[17:23.840 --> 17:25.100]  is you can do basically
[17:25.320 --> 17:25.880]  a GET request
[17:25.880 --> 17:26.800]  or a POST request
[17:26.800 --> 17:27.940]  through the API Gateway
[17:27.940 --> 17:29.580]  and pass that directly
[17:29.580 --> 17:32.020]  into an AWS Lambda function.
[17:32.160 --> 17:33.400]  And if you think in terms of
[17:33.400 --> 17:34.000]  what you've seen
[17:34.000 --> 17:35.800]  in the Jupyter notebooks
[17:36.400 --> 17:37.640]  and Python libraries
[17:37.640 --> 17:38.860]  and any functions you run
[17:38.860 --> 17:39.960]  where you pass something,
[17:39.960 --> 17:41.100]  you literally can pass it
[17:41.100 --> 17:42.140]  through a GET request
[17:42.140 --> 17:42.920]  through the API Gateway
[17:42.920 --> 17:44.680]  into AWS Lambda.
[17:44.680 --> 17:45.500]  So I kind of view that
[17:45.500 --> 17:47.920]  as top tier level of services
[17:47.920 --> 17:49.240]  where you've really normalized
[17:49.240 --> 17:50.140]  your content,
[17:50.140 --> 17:51.780]  you have exception handling,
[17:51.780 --> 17:53.220]  you know that you're ready
[17:53.220 --> 17:54.640]  to completely automate this,
[17:54.640 --> 17:55.300]  let's promote it
[17:55.300 --> 17:56.640]  into a Lambda function,
[17:56.640 --> 17:57.660]  pull it out of your
[17:57.660 --> 17:58.560]  Jupyter notebook,
[17:58.560 --> 17:59.660]  and then let's put it
[17:59.660 --> 18:00.780]  behind an API Gateway
[18:00.780 --> 18:01.420]  so you can really
[18:01.420 --> 18:01.860]  kick it off
[18:01.860 --> 18:03.140]  and call it ad hoc
[18:03.140 --> 18:03.740]  as you need
[18:03.740 --> 18:04.820]  and really start
[18:04.820 --> 18:06.300]  your ecosystem of automation
[18:06.300 --> 18:07.580]  around there.
[18:08.340 --> 18:09.280]  Another tool is
[18:09.280 --> 18:10.320]  Amazon SageMaker
[18:10.320 --> 18:11.200]  and it's really
[18:12.640 --> 18:13.520]  a larger framework
[18:13.520 --> 18:15.560]  and compute system
[18:15.560 --> 18:16.680]  where you can do more things
[18:16.680 --> 18:17.560]  like machine learning
[18:17.560 --> 18:18.620]  and training
[18:18.620 --> 18:19.400]  and all of that.
[18:19.400 --> 18:20.740]  But what I pretty much
[18:20.740 --> 18:21.620]  solely use it for
[18:21.620 --> 18:22.740]  are the Jupyter notebooks.
[18:22.740 --> 18:23.580]  So you can stand up
[18:23.580 --> 18:24.400]  the Jupyter notebooks,
[18:24.400 --> 18:25.260]  you can run it,
[18:25.260 --> 18:26.640]  you can adjust the size on it
[18:26.640 --> 18:27.800]  so if you need a lot more
[18:27.800 --> 18:29.620]  gigabytes or storage
[18:29.620 --> 18:30.460]  for a duration
[18:30.460 --> 18:31.540]  or a function,
[18:31.800 --> 18:32.280]  a lot of times
[18:32.280 --> 18:33.320]  I'll ramp up
[18:33.320 --> 18:35.560]  and use a larger
[18:35.560 --> 18:36.340]  instance of it
[18:36.340 --> 18:37.500]  for just a few minutes
[18:37.500 --> 18:38.760]  or just to do that process
[18:38.760 --> 18:40.720]  and then I'll turn it down
[18:40.720 --> 18:42.140]  to kind of the standard level.
[18:42.140 --> 18:43.460]  So Amazon SageMaker
[18:43.460 --> 18:44.380]  is really the tool
[18:44.380 --> 18:45.300]  mechanism for running
[18:45.300 --> 18:46.600]  the Jupyter notebooks.
[18:46.900 --> 18:48.280]  The static website
[18:48.280 --> 18:49.200]  hosting S3,
[18:49.200 --> 18:50.240]  that's an S3 bucket,
[18:50.240 --> 18:51.640]  you can actually set those up
[18:51.640 --> 18:52.400]  so that they can host
[18:52.400 --> 18:53.460]  web content,
[18:53.460 --> 18:54.600]  make them publicly available
[18:54.600 --> 18:55.320]  so you hit it,
[18:55.320 --> 18:56.580]  you can set an indexed
[18:56.580 --> 18:57.580]  HTML page,
[18:57.580 --> 18:58.500]  you can run it,
[18:58.500 --> 18:59.360]  and you can run websites
[18:59.360 --> 19:00.280]  out of S3 buckets
[19:00.280 --> 19:02.060]  which is really neat.
[19:02.940 --> 19:05.360]  The Amazon simple notification service,
[19:05.360 --> 19:06.460]  it's a way that you can
[19:06.460 --> 19:07.640]  send push messages
[19:07.640 --> 19:09.820]  to whether it's SMS text,
[19:09.820 --> 19:11.240]  whether it's emails,
[19:11.240 --> 19:11.860]  different things.
[19:11.860 --> 19:12.500]  So it's really just
[19:12.660 --> 19:13.600]  a notification service
[19:13.600 --> 19:14.600]  that we can do.
[19:14.600 --> 19:15.200]  In this case,
[19:15.200 --> 19:16.280]  I'll show a code snippet
[19:16.280 --> 19:17.240]  where we can actually
[19:17.240 --> 19:18.340]  send ourselves text
[19:18.340 --> 19:19.340]  so that way we know
[19:19.340 --> 19:19.900]  if there's anything
[19:19.900 --> 19:20.520]  that's going to take
[19:20.640 --> 19:21.260]  a little bit of time
[19:21.260 --> 19:22.440]  or you just want to get notified
[19:22.440 --> 19:24.360]  or have the final URL
[19:24.360 --> 19:24.940]  where you're going to
[19:24.940 --> 19:25.700]  access your data,
[19:25.700 --> 19:26.420]  you can get texted
[19:26.420 --> 19:27.560]  whenever it's ready.
[19:27.560 --> 19:28.440]  So you can kind of do
[19:28.440 --> 19:30.240]  bug bounty, reconnaissance,
[19:30.240 --> 19:31.260]  all of this on the fly
[19:31.260 --> 19:32.280]  as you build this system
[19:32.280 --> 19:33.420]  which is pretty cool.
[19:35.140 --> 19:36.420]  Now as we move into
[19:36.420 --> 19:38.940]  the processing and computation layers,
[19:38.940 --> 19:40.800]  AWS Lambda is really
[19:40.800 --> 19:43.200]  what's used to run code.
[19:43.200 --> 19:44.480]  So you can set it up,
[19:44.480 --> 19:45.900]  it runs a lot of different things,
[19:45.900 --> 19:46.800]  it's not just Python,
[19:46.800 --> 19:47.660]  but it's Node,
[19:48.560 --> 19:51.500]  and it runs on a serverless compute
[19:51.500 --> 19:52.980]  so really you put
[19:52.980 --> 19:54.000]  the code in there,
[19:54.000 --> 19:54.620]  it will stand up
[19:54.620 --> 19:55.540]  the compute resources
[19:55.540 --> 19:56.500]  and it only runs
[19:56.500 --> 19:57.220]  for a duration.
[19:57.220 --> 19:58.040]  I think the longest
[19:58.040 --> 19:59.140]  that you can run a Lambda
[19:59.140 --> 20:00.340]  is about 15 minutes
[20:00.340 --> 20:01.540]  so you're charged
[20:01.540 --> 20:02.520]  based on the duration
[20:02.520 --> 20:03.560]  that the computation
[20:03.560 --> 20:04.700]  is running.
[20:04.780 --> 20:05.620]  So if you think in terms
[20:05.620 --> 20:07.280]  of smaller Python functions
[20:07.280 --> 20:08.240]  that you have ready
[20:08.240 --> 20:09.760]  to automate and scale,
[20:09.760 --> 20:10.280]  that's where you can
[20:10.280 --> 20:11.420]  migrate them to the Lambdas
[20:11.420 --> 20:12.340]  and they can just always
[20:12.340 --> 20:13.200]  be ready to work
[20:13.200 --> 20:14.340]  off of triggers.
[20:15.560 --> 20:17.560]  The Amazon Elastic Block Storage,
[20:17.640 --> 20:18.620]  a lot of times,
[20:18.620 --> 20:19.880]  S3, there's a little bit
[20:19.880 --> 20:20.380]  of a caveat
[20:20.380 --> 20:21.840]  where S3 you get charged
[20:21.840 --> 20:22.900]  on get requests
[20:22.900 --> 20:23.720]  and put requests
[20:23.720 --> 20:24.580]  and writes,
[20:24.580 --> 20:25.620]  whereas EBS storage
[20:25.620 --> 20:27.020]  you pay for how much storage
[20:27.020 --> 20:27.840]  that you have assigned
[20:27.840 --> 20:28.480]  and allocated.
[20:28.480 --> 20:29.460]  So depending if I think
[20:29.460 --> 20:30.700]  I'm going to do millions
[20:30.700 --> 20:31.760]  of reads or writes,
[20:31.760 --> 20:32.920]  sometimes I'll do a lot
[20:32.920 --> 20:33.760]  of my testing against
[20:33.760 --> 20:34.780]  Elastic Block Storage
[20:34.780 --> 20:35.820]  and then once I have
[20:35.820 --> 20:36.580]  something that I know
[20:36.580 --> 20:37.620]  is ready to go robust
[20:37.620 --> 20:38.560]  and I want to leverage it
[20:38.560 --> 20:39.680]  in the greater ecosystem,
[20:39.680 --> 20:40.320]  I'll move it over
[20:40.320 --> 20:41.580]  to our data storage tiers
[20:41.580 --> 20:42.460]  while they're in the refined
[20:43.140 --> 20:45.100]  or the raw data levels
[20:45.100 --> 20:46.760]  to do more normalized
[20:46.760 --> 20:50.020]  and automated operations against.
[20:50.860 --> 20:52.120]  AWS Glue is a way
[20:52.120 --> 20:53.140]  that you can set up
[20:53.140 --> 20:54.540]  and you can crawl data sets.
[20:54.540 --> 20:55.800]  So Athena is,
[20:55.800 --> 20:56.560]  you picture that,
[20:56.560 --> 20:57.280]  is like you write
[20:57.280 --> 20:58.500]  your SQL queries
[20:58.500 --> 20:59.640]  and your query language
[20:59.640 --> 21:00.780]  and it will run it
[21:00.780 --> 21:01.700]  and distribute it
[21:01.700 --> 21:02.920]  against data sets
[21:02.920 --> 21:04.240]  and it can run
[21:04.240 --> 21:05.840]  against CSV files,
[21:05.840 --> 21:06.480]  it can run against
[21:06.480 --> 21:07.700]  relational data stores,
[21:07.700 --> 21:08.900]  unstructured data,
[21:08.900 --> 21:09.320]  and all those.
[21:09.320 --> 21:10.240]  So it's really powerful
[21:10.240 --> 21:11.420]  and if you haven't ever
[21:11.420 --> 21:12.140]  dug into it,
[21:12.140 --> 21:13.200]  AWS Athena,
[21:13.200 --> 21:14.420]  I highly recommend it.
[21:14.420 --> 21:15.480]  There's a lot of power in it
[21:15.480 --> 21:16.240]  and you can literally
[21:16.240 --> 21:16.960]  just sit there
[21:16.960 --> 21:18.700]  and use the console interface
[21:18.700 --> 21:19.880]  and pretty much
[21:19.880 --> 21:21.120]  ad hoc write queries
[21:21.120 --> 21:22.120]  against big data sets
[21:22.120 --> 21:23.720]  if you decide to as well.
[21:23.960 --> 21:24.880]  And then Glue is,
[21:24.880 --> 21:26.100]  I started talking,
[21:26.100 --> 21:26.960]  it's what indexes
[21:27.600 --> 21:28.520]  a lot of those data points
[21:28.520 --> 21:29.020]  around it.
[21:29.020 --> 21:29.640]  So you can create
[21:29.640 --> 21:30.460]  Glue indexes
[21:30.460 --> 21:31.380]  so you don't have to
[21:31.380 --> 21:32.940]  query the entire data set
[21:32.940 --> 21:33.820]  every single time
[21:33.820 --> 21:35.420]  and you can do those.
[21:36.360 --> 21:37.520]  AWS Step Functions,
[21:37.520 --> 21:38.320]  you won't see anything
[21:38.320 --> 21:39.160]  in the demos today
[21:39.160 --> 21:40.220]  leveraging this,
[21:40.220 --> 21:40.900]  but this is kind of
[21:41.040 --> 21:41.780]  a future capability
[21:41.780 --> 21:42.680]  where I want to leverage
[21:42.680 --> 21:43.900]  where you can actually,
[21:43.900 --> 21:44.760]  it's like setting up
[21:44.760 --> 21:45.920]  workflows and processes
[21:45.920 --> 21:47.980]  and you need X to happen
[21:47.980 --> 21:49.340]  and then once X completes,
[21:49.340 --> 21:49.980]  you can send the output
[21:49.980 --> 21:50.740]  to this one
[21:50.740 --> 21:51.960]  and do, right now,
[21:51.960 --> 21:52.860]  I'm just leveraging things
[21:52.860 --> 21:53.560]  off of triggers
[21:53.560 --> 21:54.260]  and alarms
[21:54.260 --> 21:56.000]  and Lambda files,
[21:56.000 --> 21:57.080]  but you can really start
[21:57.080 --> 21:58.420]  to use AWS Step Functions
[21:58.420 --> 21:59.580]  as orchestration,
[21:59.580 --> 22:01.460]  as a central core piece.
[22:01.460 --> 22:02.180]  So something I'm going
[22:02.180 --> 22:02.900]  to dig into more
[22:02.900 --> 22:03.840]  in the future.
[22:04.620 --> 22:05.700]  AWS Secrets Manager
[22:05.700 --> 22:06.720]  is a place that,
[22:06.720 --> 22:07.560]  so you can move
[22:07.560 --> 22:08.640]  all of your secrets,
[22:08.640 --> 22:09.340]  your API keys,
[22:09.340 --> 22:10.340]  out of your code,
[22:10.340 --> 22:11.700]  put them in Secrets Manager.
[22:11.700 --> 22:13.280]  It's a quick call out.
[22:13.280 --> 22:14.520]  You can load them,
[22:14.520 --> 22:15.380]  you can store them,
[22:15.380 --> 22:16.220]  and you can kind of
[22:16.220 --> 22:17.060]  store other parameters
[22:17.060 --> 22:18.080]  in there as you need as well.
[22:18.080 --> 22:18.580]  You can pull them back
[22:18.580 --> 22:19.160]  into your code
[22:19.160 --> 22:21.040]  so they don't sit as code,
[22:21.040 --> 22:21.580]  but you can use them
[22:21.580 --> 22:22.760]  as variables on the fly.
[22:22.760 --> 22:23.500]  So I highly recommend
[22:23.500 --> 22:24.200]  digging in there.
[22:24.200 --> 22:25.040]  There's some accelerators
[22:25.040 --> 22:25.600]  that you'll see
[22:25.600 --> 22:27.120]  that talk to those.
[22:27.760 --> 22:29.440]  And then on the right side
[22:29.440 --> 22:30.720]  are just all the S3 buckets
[22:30.720 --> 22:31.660]  and you can create
[22:31.660 --> 22:32.580]  multiple S3 buckets
[22:32.580 --> 22:33.660]  and have the different stores
[22:33.660 --> 22:34.800]  and it's just long term
[22:34.800 --> 22:37.380]  data storage for you.
[22:40.180 --> 22:42.220]  So let's jump in with a demo.
[22:42.540 --> 22:44.280]  This demo is going to show
[22:44.280 --> 22:45.460]  how we can query
[22:46.080 --> 22:47.460]  Rapid7's Project Sonar,
[22:47.460 --> 22:48.380]  which is essentially
[22:48.380 --> 22:49.760]  it's the 4DNS
[22:49.760 --> 22:51.480]  of the entire internet.
[22:51.480 --> 22:52.080]  And it's sitting
[22:52.080 --> 22:52.840]  in a dataset
[22:52.840 --> 22:54.160]  within S3.
[22:54.160 --> 22:54.980]  So rather than try
[22:54.980 --> 22:56.400]  to copy that entire dataset
[22:56.400 --> 22:57.980]  down into our own system,
[22:57.980 --> 22:59.160]  we're going to leverage
[22:59.360 --> 23:00.100]  a Jupyter Notebook
[23:00.100 --> 23:01.100]  and we're going to actually
[23:02.120 --> 23:03.600]  run a distributed query
[23:03.600 --> 23:05.200]  against that external dataset
[23:05.200 --> 23:07.400]  that's hosted in
[23:07.400 --> 23:09.260]  not our own S3 bucket,
[23:09.260 --> 23:11.200]  but the public datasets bucket.
[23:11.380 --> 23:12.420]  And we're going to get
[23:12.420 --> 23:13.100]  the results back
[23:13.100 --> 23:14.520]  and we're going to process it.
[23:14.520 --> 23:15.280]  And we're going to do it
[23:15.280 --> 23:16.740]  in just a matter of...
[23:16.740 --> 23:17.620]  it's probably going to take
[23:17.720 --> 23:18.200]  a couple of minutes
[23:18.200 --> 23:18.780]  as we walk through
[23:18.780 --> 23:19.900]  and talk through the code,
[23:19.900 --> 23:20.960]  but this is literally,
[23:20.960 --> 23:22.140]  I think generally the queries
[23:22.140 --> 23:23.160]  around the 4DNS
[23:23.160 --> 23:24.660]  for a domain wildcard
[23:24.660 --> 23:26.440]  is about 26 seconds.
[23:26.660 --> 23:28.740]  So let's walk through this.
[23:29.540 --> 23:30.620]  So on the screen here
[23:30.620 --> 23:32.580]  you can see my Jupyter Notebook
[23:32.580 --> 23:34.440]  and what we'll do is
[23:34.440 --> 23:35.280]  we'll walk through this too
[23:35.280 --> 23:36.160]  because I want you to think
[23:36.160 --> 23:37.420]  in terms of how can I reuse
[23:37.420 --> 23:38.200]  these components,
[23:38.200 --> 23:39.420]  how is this applicable
[23:39.420 --> 23:41.020]  well beyond just this
[23:41.020 --> 23:42.380]  sonar use case.
[23:42.480 --> 23:43.720]  So let's go ahead and start.
[23:43.720 --> 23:44.800]  We're going to go ahead
[23:44.800 --> 23:46.240]  and run this first section
[23:46.240 --> 23:47.100]  of code here.
[23:47.100 --> 23:48.140]  And this is what I talked about
[23:48.140 --> 23:49.220]  earlier too, which is nice
[23:49.220 --> 23:50.400]  is that if you're not
[23:50.400 --> 23:51.480]  an expert at code,
[23:51.480 --> 23:52.120]  you run it,
[23:52.120 --> 23:52.860]  you can break it down
[23:52.860 --> 23:53.620]  into cells,
[23:53.620 --> 23:54.700]  and you can run each cell.
[23:54.700 --> 23:55.260]  So we're going to run
[23:55.260 --> 23:56.440]  this first cell.
[23:56.520 --> 23:57.640]  What we just did was
[23:57.640 --> 24:00.280]  you can see this execution ID here.
[24:00.300 --> 24:02.440]  What we did is we set our domain
[24:03.300 --> 24:04.600]  to Microsoft.com
[24:04.600 --> 24:05.680]  so we're actually querying
[24:05.680 --> 24:06.720]  all the wildcards
[24:06.720 --> 24:07.820]  of the Microsoft domain
[24:09.180 --> 24:10.080]  4DNS space.
[24:10.080 --> 24:10.820]  And keep in mind,
[24:10.820 --> 24:11.720]  we are not touching
[24:11.720 --> 24:13.580]  any of Microsoft's systems.
[24:13.580 --> 24:15.240]  This is purely utilizing
[24:15.960 --> 24:17.340]  the 4DNS dataset
[24:17.340 --> 24:18.580]  and we're getting the results
[24:18.580 --> 24:19.440]  from there.
[24:19.800 --> 24:20.620]  And then what we've done
[24:20.620 --> 24:21.840]  is we've set some
[24:21.840 --> 24:22.960]  of our variables around
[24:22.960 --> 24:23.740]  our bucket of where
[24:23.740 --> 24:25.480]  we want to store the results,
[24:25.480 --> 24:26.720]  what database we want to query
[24:26.720 --> 24:27.740]  against in Athena,
[24:27.740 --> 24:28.700]  which we've had some...
[24:28.700 --> 24:30.040]  the setup information
[24:30.040 --> 24:30.800]  is all contained
[24:30.800 --> 24:31.740]  within the GitHub as well
[24:31.740 --> 24:33.120]  so you can set that up.
[24:33.120 --> 24:33.800]  And then the table
[24:33.800 --> 24:35.340]  we want to query against.
[24:35.580 --> 24:36.520]  What we do next
[24:36.520 --> 24:38.680]  is we set up our query.
[24:38.680 --> 24:39.460]  So what this is doing
[24:39.460 --> 24:40.600]  is basically just saying
[24:42.340 --> 24:43.140]  select everything
[24:43.140 --> 24:44.500]  from wildcard
[24:44.500 --> 24:46.000]  microsoft.com
[24:46.000 --> 24:47.440]  and then we select
[24:47.440 --> 24:48.240]  the latest date
[24:48.240 --> 24:49.180]  of the dataset
[24:49.180 --> 24:50.040]  so that way we don't
[24:50.040 --> 24:50.900]  historically go through
[24:50.900 --> 24:52.160]  every single one iteration
[24:52.160 --> 24:53.260]  that we have.
[24:53.880 --> 24:55.080]  It issues the
[24:55.560 --> 24:56.640]  Athena query.
[24:56.640 --> 24:58.000]  It takes about 26 seconds
[24:58.000 --> 24:58.400]  to run.
[24:58.400 --> 24:58.900]  We have the
[24:58.900 --> 25:00.740]  Athena query ID here.
[25:00.740 --> 25:01.520]  So in this next
[25:02.020 --> 25:02.820]  component,
[25:02.820 --> 25:03.820]  I will actually
[25:03.820 --> 25:04.560]  jump back up.
[25:04.560 --> 25:05.500]  This run command
[25:05.500 --> 25:06.960]  that I'm highlighting,
[25:06.960 --> 25:08.160]  this is actually a way
[25:08.160 --> 25:08.900]  that you can call
[25:08.900 --> 25:09.720]  other notebooks,
[25:09.720 --> 25:10.500]  which is kind of neat.
[25:10.500 --> 25:11.240]  So as you think about
[25:11.240 --> 25:12.480]  in terms of you call functions
[25:12.480 --> 25:13.900]  within programming code,
[25:13.900 --> 25:14.940]  this will actually run
[25:14.940 --> 25:15.860]  and load an entire
[25:15.860 --> 25:16.440]  notebook.
[25:16.440 --> 25:17.040]  So what I've done is
[25:17.040 --> 25:18.060]  I try to take anything
[25:18.060 --> 25:19.280]  that's not tool specific
[25:19.740 --> 25:21.160]  and I put it in kind of
[25:21.280 --> 25:21.980]  a common notebook
[25:21.980 --> 25:23.200]  that you can set
[25:23.420 --> 25:23.860]  a lot of different
[25:23.860 --> 25:24.640]  things to run.
[25:24.640 --> 25:26.220]  So what this is
[25:26.220 --> 25:27.040]  actually doing is
[25:27.040 --> 25:28.220]  the query Athena
[25:28.220 --> 25:29.440]  function is running
[25:29.440 --> 25:30.060]  out of that other
[25:30.060 --> 25:30.840]  notebook because
[25:30.840 --> 25:32.300]  I've set it up well
[25:32.300 --> 25:32.980]  enough that you can
[25:32.980 --> 25:34.020]  pass in the
[25:34.020 --> 25:35.480]  results bucket.
[25:35.480 --> 25:36.220]  You just send it
[25:36.220 --> 25:37.040]  the query in the
[25:37.040 --> 25:37.680]  Athena database
[25:37.680 --> 25:38.780]  and it will kick it off
[25:38.780 --> 25:39.500]  so it doesn't matter
[25:39.500 --> 25:40.760]  what tool specific
[25:40.760 --> 25:41.300]  or anything.
[25:41.300 --> 25:42.340]  It will just run a query
[25:42.340 --> 25:43.320]  that you tell it to run
[25:43.900 --> 25:45.020]  which is why I moved
[25:45.020 --> 25:45.880]  it into that kind of
[25:45.880 --> 25:46.840]  standardized function
[25:47.740 --> 25:48.460]  area.
[25:49.800 --> 25:50.560]  So what we're going
[25:50.560 --> 25:51.100]  to do is we're going
[25:51.100 --> 25:51.900]  to run this next one
[25:51.900 --> 25:52.520]  and this is going to
[25:52.520 --> 25:53.340]  generate, pull the
[25:53.340 --> 25:54.040]  results back.
[25:54.040 --> 25:54.780]  So you can see that
[25:54.780 --> 25:55.780]  it's already succeeded.
[25:55.780 --> 25:56.420]  If we were to run this
[25:56.420 --> 25:57.100]  immediately it would
[25:57.100 --> 25:57.780]  just go in a loop
[25:57.780 --> 25:58.900]  and it would circle
[25:58.900 --> 25:59.760]  every five seconds
[25:59.760 --> 26:00.460]  and check for the
[26:00.460 --> 26:01.500]  results back.
[26:01.640 --> 26:02.920]  But it's pulled back
[26:02.920 --> 26:05.620]  18,695 different rows
[26:05.620 --> 26:06.680]  and you can see the
[26:06.680 --> 26:07.620]  types of information
[26:07.620 --> 26:08.240]  we've just pulled
[26:08.240 --> 26:08.720]  back.
[26:08.720 --> 26:10.020]  So think you have
[26:10.020 --> 26:12.320]  18,695 different rows
[26:12.320 --> 26:13.360]  basically for DNS
[26:13.360 --> 26:13.980]  entries from
[26:13.980 --> 26:15.040]  Microsoft.com in
[26:15.040 --> 26:16.220]  under 26 seconds
[26:16.220 --> 26:18.540]  with the IP
[26:18.540 --> 26:19.400]  addresses, the C
[26:19.400 --> 26:20.480]  names, A records,
[26:20.480 --> 26:21.500]  MX records, all of
[26:21.500 --> 26:22.280]  those.
[26:23.000 --> 26:24.040]  And then with that
[26:24.040 --> 26:24.780]  we're going to do
[26:24.780 --> 26:25.520]  this next thing is
[26:25.520 --> 26:26.500]  this is actually
[26:26.500 --> 26:27.560]  going to leverage
[26:27.560 --> 26:28.260]  the MaxMind
[26:28.260 --> 26:29.260]  database and we're
[26:29.260 --> 26:29.980]  going to start
[26:29.980 --> 26:31.140]  figuring out
[26:31.140 --> 26:32.280]  querying for the
[26:32.280 --> 26:33.760]  IP addresses and
[26:33.760 --> 26:34.500]  getting all that
[26:34.500 --> 26:35.300]  information back.
[26:35.300 --> 26:35.840]  So let's go ahead
[26:35.840 --> 26:36.560]  and run this and
[26:36.560 --> 26:37.180]  what this will do
[26:37.180 --> 26:38.500]  is it creates a
[26:38.500 --> 26:40.480]  data frame which
[26:40.480 --> 26:41.800]  leverages Pandas.
[26:41.800 --> 26:42.080]  So Pandas is a
[26:42.080 --> 26:43.080]  library within Python
[26:43.800 --> 26:44.720]  that you can run
[26:44.720 --> 26:45.980]  and I completely
[26:45.980 --> 26:46.760]  recommend it.
[26:46.760 --> 26:47.520]  It is one of the
[26:47.520 --> 26:48.180]  best things that I've
[26:48.180 --> 26:49.060]  ever found in terms
[26:49.060 --> 26:50.560]  of doing metrics and
[26:50.560 --> 26:51.200]  analysis and
[26:51.200 --> 26:51.680]  automation.
[26:51.680 --> 26:52.200]  But you can see it
[26:52.200 --> 26:54.520]  just processed 18,695
[26:54.520 --> 26:55.500]  rows in just a few
[26:55.500 --> 26:56.120]  seconds.
[26:56.120 --> 26:57.040]  And now we have the
[26:57.040 --> 26:58.340]  latitudes, longitudes,
[26:58.340 --> 26:58.840]  countries, and
[26:58.840 --> 26:59.500]  localities all
[26:59.500 --> 27:00.940]  merged to all
[27:00.940 --> 27:02.480]  18,000 entries.
[27:03.140 --> 27:03.460]  So what we're
[27:03.460 --> 27:04.240]  going to do now is
[27:04.240 --> 27:05.560]  if you say, hey, I
[27:05.560 --> 27:06.220]  just did all this
[27:06.220 --> 27:07.160]  work, I don't want a
[27:07.160 --> 27:07.820]  chance of losing it
[27:07.820 --> 27:09.160]  even though theoretically
[27:09.160 --> 27:10.280]  you could redo this
[27:10.280 --> 27:10.920]  over about 30
[27:10.920 --> 27:11.660]  seconds.
[27:11.740 --> 27:12.740]  But if you want, you
[27:12.740 --> 27:13.620]  can use this command
[27:14.000 --> 27:15.620]  and you can save your
[27:15.620 --> 27:16.860]  data frame off to
[27:16.860 --> 27:18.020]  Excel so you can save
[27:18.020 --> 27:18.480]  it locally.
[27:18.480 --> 27:19.200]  So if you run this, it
[27:19.200 --> 27:19.920]  will just print and
[27:19.920 --> 27:20.840]  store those 18,000
[27:20.840 --> 27:21.720]  records into an Excel
[27:21.720 --> 27:22.480]  spreadsheet which you
[27:22.480 --> 27:23.580]  can reload later on
[27:23.580 --> 27:24.960]  which is pretty handy
[27:24.960 --> 27:25.700]  to use.
[27:25.700 --> 27:26.500]  And if you want to
[27:26.500 --> 27:27.600]  save your artifacts and
[27:27.980 --> 27:28.860]  data points, you can
[27:28.860 --> 27:29.860]  always do that.
[27:31.480 --> 27:32.300]  So what we'll do now
[27:32.300 --> 27:32.840]  is we're going to run
[27:32.840 --> 27:34.020]  this next command and
[27:34.020 --> 27:34.940]  what this does is it
[27:34.940 --> 27:35.660]  just aggregates.
[27:35.660 --> 27:36.200]  And you can see how
[27:36.200 --> 27:36.800]  fast that was.
[27:36.800 --> 27:37.780]  It was almost instantaneous
[27:37.780 --> 27:38.580]  when I pressed the
[27:38.580 --> 27:39.460]  start button and it
[27:39.460 --> 27:41.120]  just grouped up all
[27:41.120 --> 27:42.180]  the different latitudes
[27:42.180 --> 27:43.320]  and longitudes so that
[27:43.320 --> 27:44.220]  we can get ready to
[27:44.220 --> 27:45.100]  plot them on a heat
[27:45.100 --> 27:45.720]  map.
[27:46.040 --> 27:48.260]  So we know 525 had
[27:48.260 --> 27:49.000]  this latitude,
[27:49.000 --> 27:50.560]  longitude, and it did
[27:50.560 --> 27:51.580]  all that work.
[27:51.580 --> 27:52.280]  And we can dig in.
[27:52.280 --> 27:53.420]  This also calls that
[27:54.540 --> 27:55.680]  the other notebook
[27:55.680 --> 27:56.840]  because it's
[27:56.840 --> 27:57.720]  centralized and it's
[27:57.720 --> 27:58.900]  not specific to the
[27:58.900 --> 27:59.860]  project sonar data
[27:59.860 --> 28:00.300]  set.
[28:00.300 --> 28:02.080]  So you can reuse and
[28:02.080 --> 28:03.480]  redo any of that.
[28:03.660 --> 28:04.340]  I am going to jump
[28:04.340 --> 28:05.000]  back up, though.
[28:05.000 --> 28:05.740]  I think this is
[28:05.740 --> 28:06.300]  something that's
[28:06.300 --> 28:07.040]  pretty neat.
[28:07.040 --> 28:07.740]  And if you think
[28:07.740 --> 28:08.560]  about in terms of
[28:08.560 --> 28:09.780]  how can I reuse some
[28:09.780 --> 28:10.920]  of this, this get
[28:10.920 --> 28:12.000]  location function that
[28:12.000 --> 28:13.200]  I have behind the
[28:13.200 --> 28:13.900]  scenes that just
[28:13.900 --> 28:14.900]  pulled in and merged
[28:14.900 --> 28:16.060]  all this together,
[28:16.060 --> 28:16.860]  what I did, if you're
[28:16.860 --> 28:18.360]  looking, I passed the
[28:18.360 --> 28:20.160]  entire data frame as
[28:20.380 --> 28:21.240]  a part of the function
[28:21.240 --> 28:22.900]  there and I passed
[28:22.900 --> 28:23.840]  the value column,
[28:23.840 --> 28:24.420]  which is the IP
[28:24.420 --> 28:25.480]  address column.
[28:25.480 --> 28:26.280]  So if you think about
[28:26.280 --> 28:27.920]  reusability, all I
[28:27.920 --> 28:29.220]  literally did was I
[28:29.220 --> 28:30.220]  just took, if you
[28:30.220 --> 28:30.740]  have an Excel
[28:30.740 --> 28:31.640]  spreadsheet of IP
[28:31.640 --> 28:33.620]  addresses or a CSV
[28:33.620 --> 28:34.480]  or anything like
[28:34.480 --> 28:35.100]  that, you load it
[28:35.100 --> 28:36.180]  into a data frame.
[28:36.180 --> 28:36.900]  You can pass that
[28:36.900 --> 28:37.940]  entire data frame.
[28:37.940 --> 28:38.380]  It doesn't matter
[28:38.380 --> 28:38.540]  what it is.
[28:38.540 --> 28:38.680]  It doesn't matter what
[28:38.680 --> 28:39.380]  the rest of it looks
[28:39.380 --> 28:39.740]  like.
[28:39.740 --> 28:40.380]  You pass the data
[28:40.380 --> 28:42.100]  frame name and the
[28:42.100 --> 28:43.460]  column that the IP
[28:43.460 --> 28:44.580]  addresses are in or
[28:46.380 --> 28:47.240]  obviously it will
[28:47.240 --> 28:48.560]  fail on if it's not
[28:48.560 --> 28:49.400]  an IP address as it
[28:49.400 --> 28:50.040]  goes through those
[28:50.040 --> 28:50.560]  because they're C
[28:50.560 --> 28:51.260]  names.
[28:51.700 --> 28:52.880]  And you do that and
[28:52.880 --> 28:53.660]  you can process it.
[28:53.660 --> 28:54.440]  So anything you have,
[28:54.440 --> 28:55.140]  that's completely
[28:55.140 --> 28:56.060]  reusable and that's
[28:56.060 --> 28:57.300]  just a few lines of
[28:57.300 --> 28:57.660]  code.
[28:57.660 --> 28:58.200]  It's in GitHub.
[28:58.200 --> 28:58.940]  You can pull it and
[28:58.940 --> 29:00.700]  I think in terms of
[29:00.700 --> 29:02.340]  just from a cyber
[29:02.340 --> 29:03.620]  operations, a SOC
[29:03.620 --> 29:04.380]  perspective, you
[29:04.380 --> 29:05.340]  could really get a
[29:05.340 --> 29:06.100]  lot of value out of
[29:06.100 --> 29:06.340]  some of that
[29:06.340 --> 29:06.900]  information.
[29:06.900 --> 29:07.320]  You could look at
[29:07.320 --> 29:08.500]  attackers, web
[29:08.500 --> 29:09.280]  denials, web
[29:09.280 --> 29:10.520]  traffic, who's
[29:10.520 --> 29:11.140]  hitting your web
[29:11.140 --> 29:12.520]  application firewalls
[29:12.520 --> 29:13.280]  and you can do heat
[29:13.280 --> 29:13.900]  maps and different
[29:13.900 --> 29:14.440]  things from an
[29:14.440 --> 29:15.220]  attacker perspective
[29:15.220 --> 29:16.460]  which is pretty cool.
[29:17.660 --> 29:18.900]  So let's go on down.
[29:18.900 --> 29:19.520]  We have that
[29:19.520 --> 29:20.440]  information and then
[29:20.440 --> 29:22.180]  we want to now, let's
[29:22.180 --> 29:22.980]  do this.
[29:22.980 --> 29:23.800]  So this is just a
[29:23.800 --> 29:24.440]  couple lines of
[29:24.440 --> 29:26.020]  code but it's really
[29:26.020 --> 29:26.240]  cool.
[29:26.240 --> 29:27.380]  So this uses the
[29:27.380 --> 29:28.460]  Google Maps API and
[29:28.460 --> 29:29.240]  you can see how fast
[29:29.240 --> 29:29.580]  that was.
[29:29.580 --> 29:32.340]  It just plotted the
[29:33.180 --> 29:33.860]  information we have
[29:33.860 --> 29:34.960]  up here for the
[29:34.960 --> 29:35.160]  latitudes and
[29:35.160 --> 29:35.720]  longitudes and
[29:35.720 --> 29:36.460]  created an
[29:36.980 --> 29:37.460]  interactive heat
[29:37.460 --> 29:38.140]  map so we can
[29:38.140 --> 29:39.760]  zoom in on and
[29:39.760 --> 29:40.600]  see what's going
[29:40.600 --> 29:41.640]  on and this shows
[29:41.640 --> 29:42.540]  the concentrations
[29:42.540 --> 29:44.180]  of Microsoft's
[29:44.180 --> 29:45.280]  forward DNS space
[29:45.280 --> 29:46.140]  across the globe.
[29:46.140 --> 29:47.240]  So you can look and
[29:47.240 --> 29:48.500]  as we zoom in, you
[29:48.500 --> 29:48.920]  can see the
[29:48.920 --> 29:49.580]  different regions
[29:49.580 --> 29:50.760]  they are included
[29:50.760 --> 29:51.500]  in.
[29:52.260 --> 29:53.440]  So let's, if we
[29:53.440 --> 29:54.500]  were just, let's
[29:54.500 --> 29:55.240]  say, let's tackle
[29:55.240 --> 29:56.120]  this is a big area
[29:56.120 --> 29:57.300]  here, you can zoom
[29:57.300 --> 29:57.960]  in and even though
[29:57.960 --> 29:58.660]  it shows Seattle
[29:58.660 --> 30:00.160]  space, you can go
[30:00.160 --> 30:00.900]  and see that it's
[30:00.900 --> 30:01.840]  not all just in
[30:01.840 --> 30:02.440]  Seattle but they
[30:02.440 --> 30:03.440]  have a few offices.
[30:03.440 --> 30:04.000]  It looks like in
[30:04.000 --> 30:04.920]  Redman, there's some
[30:04.920 --> 30:06.540]  Seattle and above.
[30:06.540 --> 30:07.920]  So pretty cool that
[30:07.920 --> 30:08.880]  it's all interactive
[30:08.880 --> 30:10.180]  and you can do that.
[30:10.180 --> 30:11.140]  And the other neat
[30:11.140 --> 30:11.580]  thing is you're
[30:11.580 --> 30:12.820]  thinking, well, I
[30:12.820 --> 30:13.440]  want to show this to
[30:13.440 --> 30:13.980]  management.
[30:13.980 --> 30:14.700]  How do I show my
[30:14.700 --> 30:15.860]  managers, my leadership
[30:15.860 --> 30:17.000]  about this?
[30:17.020 --> 30:18.060]  And I can't have
[30:18.060 --> 30:19.360]  them just opening a
[30:19.360 --> 30:20.460]  Jupyter notebook all
[30:20.460 --> 30:21.100]  the time and doing
[30:21.100 --> 30:21.720]  this.
[30:21.720 --> 30:22.440]  Well, one thing is
[30:22.440 --> 30:23.260]  you can click the
[30:23.260 --> 30:24.000]  download button and
[30:24.000 --> 30:24.940]  just download the
[30:24.940 --> 30:26.300]  map as an image.
[30:26.300 --> 30:27.700]  But the other pretty
[30:27.700 --> 30:28.160]  neat thing about all
[30:28.160 --> 30:29.260]  this, and if you
[30:29.260 --> 30:30.340]  think about the
[30:31.440 --> 30:32.440]  architecture of how
[30:30.340 --> 30:30.760]  I have that
[30:31.120 --> 30:32.220]  presentation layer,
[30:32.220 --> 30:32.720]  what this next
[30:32.720 --> 30:33.700]  command does is it
[30:33.700 --> 30:35.120]  takes this map and
[30:35.120 --> 30:36.460]  it actually uploads
[30:36.460 --> 30:38.000]  it to a static S3
[30:38.000 --> 30:38.880]  bucket that's
[30:38.880 --> 30:40.440]  hosting a static S3
[30:40.440 --> 30:41.740]  content as a
[30:41.740 --> 30:42.500]  website.
[30:42.500 --> 30:43.560]  So then I hit this,
[30:43.560 --> 30:44.940]  I uploaded the map
[30:44.940 --> 30:46.520]  file to the website
[30:46.520 --> 30:47.340]  and then I can
[30:47.340 --> 30:48.360]  navigate over to my
[30:48.360 --> 30:49.480]  bucket and if I hit
[30:49.480 --> 30:50.780]  load content right
[30:50.780 --> 30:52.380]  here, it should pull
[30:52.380 --> 30:54.140]  up that map.
[30:54.140 --> 30:55.180]  And now I can
[30:55.180 --> 30:56.040]  always send any of
[30:56.040 --> 30:57.160]  my leadership, any
[30:57.160 --> 30:57.740]  managers, anybody
[30:57.740 --> 30:58.440]  that wants to see
[30:58.440 --> 30:59.200]  anything, I can run
[30:59.200 --> 30:59.780]  this on an
[30:59.780 --> 31:00.320]  iterative basis
[30:58.340 --> 30:59.340]  while I'm
[31:00.320 --> 31:00.580]  there.
[31:00.580 --> 31:01.500]  It's on every 24
[31:01.500 --> 31:02.280]  hours I run this
[31:02.280 --> 31:03.340]  process and do.
[31:03.540 --> 31:04.100]  And if you think in
[31:04.100 --> 31:05.400]  terms of visually what
[31:05.400 --> 31:06.220]  you want your attack
[31:06.220 --> 31:06.980]  surface to look like
[31:06.980 --> 31:08.200]  for your company, run
[31:08.200 --> 31:08.800]  this against your
[31:08.800 --> 31:09.860]  company every time.
[31:09.860 --> 31:10.580]  Have this dashboard
[31:10.580 --> 31:11.980]  always going and then
[31:11.980 --> 31:12.740]  you could even trigger
[31:12.740 --> 31:13.640]  on anomalies, you
[31:13.640 --> 31:14.120]  could do different
[31:14.120 --> 31:14.820]  things.
[31:14.900 --> 31:16.140]  And it's just pretty
[31:16.140 --> 31:16.860]  neat to always see
[31:16.860 --> 31:18.000]  here, here's our
[31:18.560 --> 31:19.340]  coverage from an
[31:19.340 --> 31:19.940]  internet presence
[31:19.940 --> 31:20.880]  that we have there.
[31:20.880 --> 31:22.160]  So I think there's a
[31:22.160 --> 31:22.880]  lot of value, a lot
[31:22.880 --> 31:23.720]  of opportunity to do
[31:23.720 --> 31:24.360]  in there.
[31:24.360 --> 31:25.040]  And just the fact
[31:25.040 --> 31:25.380]  that you can
[31:25.380 --> 31:26.280]  literally load it
[31:26.280 --> 31:27.660]  and save the
[31:28.980 --> 31:29.860]  interactive mapping
[31:29.860 --> 31:31.480]  part of it to an
[31:31.480 --> 31:33.080]  HTML file and then
[31:33.080 --> 31:33.860]  have people actually
[31:33.860 --> 31:34.700]  go up, browse to
[31:34.700 --> 31:35.540]  it, navigate it,
[31:35.540 --> 31:35.940]  that's pretty
[31:35.940 --> 31:36.740]  exciting.
[31:41.770 --> 31:42.950]  So for this next
[31:42.950 --> 31:44.230]  demo, we're going to
[31:44.230 --> 31:44.970]  use, this is actually
[31:44.970 --> 31:45.590]  one of my favorite
[31:45.590 --> 31:46.630]  ones and I'm really
[31:46.630 --> 31:47.590]  excited to continue
[31:47.590 --> 31:48.310]  the build on the
[31:48.310 --> 31:49.690]  capabilities of this.
[31:49.690 --> 31:51.070]  But this leverages a
[31:51.070 --> 31:52.390]  data set that's
[31:52.390 --> 31:53.050]  publicly available
[31:53.050 --> 31:53.950]  in S3 called
[31:53.950 --> 31:54.870]  Common Crawl.
[31:54.870 --> 31:56.430]  And what it is, it's
[31:56.430 --> 31:57.030]  a project that's
[31:57.030 --> 31:57.630]  been going on now
[31:57.630 --> 31:58.610]  for, I think it's
[31:58.610 --> 31:59.130]  actually been around
[31:59.130 --> 31:59.230]  for about eight
[31:59.230 --> 32:00.170]  years, where it
[32:00.170 --> 32:02.210]  crawls the internet,
[32:02.210 --> 32:03.530]  searches and indexes
[32:03.530 --> 32:05.030]  and actually downloads
[32:05.030 --> 32:06.710]  the HTML of files
[32:06.710 --> 32:07.690]  and stores them in
[32:07.690 --> 32:08.490]  S3 buckets.
[32:08.490 --> 32:09.450]  So it's just a
[32:09.450 --> 32:11.150]  massive repository
[32:11.150 --> 32:12.290]  and similar of
[32:12.290 --> 32:13.050]  basically web
[32:13.050 --> 32:13.510]  archives that you
[32:13.510 --> 32:14.030]  can search.
[32:14.030 --> 32:14.990]  So if you've used
[32:14.990 --> 32:16.270]  Wayback Machine and
[32:16.270 --> 32:16.630]  different components,
[32:16.630 --> 32:18.370]  this is very similar.
[32:18.370 --> 32:18.790]  And so what we're
[32:18.790 --> 32:19.290]  going to do is we're
[32:19.290 --> 32:20.010]  going to actually
[32:20.010 --> 32:20.970]  search it for a
[32:20.970 --> 32:21.170]  domain.
[32:21.170 --> 32:22.450]  We're going to pull
[32:22.450 --> 32:24.370]  back the files and
[32:24.370 --> 32:25.770]  it actually can
[32:25.770 --> 32:26.470]  eventually download
[32:26.470 --> 32:27.310]  the files and we
[32:27.310 --> 32:28.010]  can store them in
[32:28.010 --> 32:28.890]  an S3 bucket and
[32:28.890 --> 32:30.010]  then we can run a
[32:30.010 --> 32:30.590]  bunch of different
[32:30.590 --> 32:31.110]  tools around it.
[32:31.110 --> 32:31.750]  So if we want to
[32:31.750 --> 32:33.390]  do like find URLs or
[32:33.390 --> 32:34.890]  run HackCrawler or
[32:35.510 --> 32:36.130]  anything that's going
[32:36.130 --> 32:36.870]  to go through and
[32:36.990 --> 32:37.830]  does a good job of
[32:37.830 --> 32:38.710]  analyzing HTML,
[32:38.710 --> 32:39.630]  whether it's for
[32:39.630 --> 32:40.110]  vulnerabilities,
[32:40.110 --> 32:41.530]  whether it's for URLs,
[32:41.530 --> 32:42.390]  whether it's for
[32:42.390 --> 32:43.450]  parameters, we can do
[32:43.450 --> 32:44.210]  that against it.
[32:44.210 --> 32:45.450]  So let's walk through
[32:45.450 --> 32:45.870]  this now.
[32:45.870 --> 32:46.810]  I'll kind of show you
[32:46.810 --> 32:47.630]  the framework around
[32:47.630 --> 32:48.450]  it and there's a lot
[32:48.450 --> 32:49.770]  that we can build into
[32:49.770 --> 32:50.670]  this capability.
[32:50.670 --> 32:51.370]  The biggest challenge
[32:51.370 --> 32:52.590]  that I've had so far
[32:52.590 --> 32:53.470]  is just trying to do
[32:53.470 --> 32:55.230]  some of the
[32:55.230 --> 32:55.710]  asynchronous programming
[32:57.330 --> 32:57.730]  against it because a
[32:57.730 --> 32:57.810]  lot of times you have
[32:57.810 --> 32:58.470]  a large site where
[32:58.470 --> 32:59.070]  you're trying to do
[32:59.070 --> 33:00.470]  downloads and actually
[33:00.470 --> 33:01.610]  pulling the files, but
[33:02.030 --> 33:02.790]  as we get more
[33:02.790 --> 33:03.570]  efficient with this, I'm
[33:03.570 --> 33:04.310]  pretty excited about
[33:04.310 --> 33:05.110]  this and I think it has
[33:05.210 --> 33:06.010]  a lot of promise with
[33:06.010 --> 33:06.550]  it.
[33:07.490 --> 33:08.110]  So what we're going to
[33:08.110 --> 33:09.170]  do is we have all of
[33:09.170 --> 33:10.030]  our parameters set up.
[33:10.030 --> 33:10.630]  We're actually going to
[33:10.630 --> 33:11.330]  run this one against
[33:11.330 --> 33:12.250]  the smaller domain for
[33:12.250 --> 33:13.290]  demo purposes because
[33:13.290 --> 33:14.030]  if we have something
[33:14.030 --> 33:15.490]  that has 70,000
[33:15.490 --> 33:16.510]  websites and pages,
[33:16.510 --> 33:17.390]  it's just not fast
[33:17.390 --> 33:18.190]  enough at this point
[33:18.190 --> 33:19.170]  to download this in
[33:19.610 --> 33:20.470]  a timely fashion.
[33:20.470 --> 33:20.990]  We would be sitting
[33:20.990 --> 33:21.930]  here for maybe 40
[33:21.930 --> 33:22.890]  minutes or an hour.
[33:22.890 --> 33:24.410]  So in this case, we
[33:24.410 --> 33:25.270]  can always speed it up
[33:25.270 --> 33:25.910]  as we go, but we're
[33:25.910 --> 33:26.770]  going to run this
[33:26.770 --> 33:28.470]  against derbycon.com.
[33:28.970 --> 33:30.510]  So we've kicked off
[33:30.510 --> 33:31.570]  our Athena query.
[33:31.570 --> 33:32.670]  It's running it now.
[33:32.670 --> 33:33.530]  It's searching.
[33:33.530 --> 33:34.530]  It's looking for all
[33:34.530 --> 33:35.610]  of the webpages that
[33:35.610 --> 33:36.650]  this is indexed and
[33:36.650 --> 33:37.990]  cached and copied and
[33:37.990 --> 33:39.670]  saved within the
[33:39.670 --> 33:41.030]  Common Crawl dataset.
[33:41.430 --> 33:42.270]  So let's go ahead and
[33:42.270 --> 33:43.290]  kick off our run and
[33:43.770 --> 33:45.010]  what this is going to
[33:45.010 --> 33:45.710]  do is it's going to
[33:45.710 --> 33:47.210]  look and it's going to
[33:47.210 --> 33:49.090]  just wait for the
[33:50.470 --> 33:51.730]  query to stop running
[33:51.730 --> 33:52.830]  and then it will pull
[33:52.830 --> 33:53.410]  in and load the
[33:53.410 --> 33:54.230]  results for us into
[33:54.350 --> 33:54.390]  a database.
[33:54.390 --> 33:55.750]  So we'll let this run
[33:55.750 --> 33:56.910]  for a few minutes.
[33:57.210 --> 33:58.090]  All right, so it looks
[33:58.090 --> 33:58.690]  like we have our
[33:58.690 --> 33:59.410]  results here.
[33:59.450 --> 34:02.290]  So it pulled back 579
[34:02.290 --> 34:03.510]  different websites.
[34:03.510 --> 34:04.770]  What we want to do is
[34:05.310 --> 34:06.350]  since it's been running
[34:06.350 --> 34:07.390]  over the course of
[34:07.390 --> 34:08.750]  eight years, there's a
[34:08.750 --> 34:09.510]  lot of different
[34:09.510 --> 34:10.270]  versions, iterations,
[34:10.270 --> 34:10.870]  which is actually
[34:10.870 --> 34:11.510]  pretty neat if you want
[34:11.510 --> 34:12.470]  to see how websites
[34:12.470 --> 34:13.290]  have evolved and look
[34:13.290 --> 34:14.270]  for changes or maybe
[34:14.390 --> 34:15.270]  there's a vulnerability
[34:15.270 --> 34:17.030]  or an issue or a
[34:17.030 --> 34:17.870]  comment in there that
[34:17.870 --> 34:18.950]  they moved out and you
[34:18.950 --> 34:20.290]  could see the difference
[34:20.290 --> 34:20.930]  between the different
[34:20.930 --> 34:21.150]  versions.
[34:21.150 --> 34:23.090]  But in this case, I'm
[34:23.090 --> 34:24.290]  interested more in just
[34:24.290 --> 34:24.370]  the unique users that
[34:24.370 --> 34:24.870]  we have.
[34:24.870 --> 34:25.610]  So we're going to run
[34:25.610 --> 34:26.490]  this next command which
[34:26.490 --> 34:27.330]  is going to sort them
[34:27.330 --> 34:28.730]  and it's going to drop
[34:28.730 --> 34:29.830]  all the duplicates and
[34:29.830 --> 34:30.550]  it's going to keep the
[34:30.550 --> 34:31.410]  latest version of the
[34:31.410 --> 34:31.990]  webpage.
[34:32.010 --> 34:32.610]  So let's go ahead and
[34:32.610 --> 34:33.530]  run this right now.
[34:33.530 --> 34:33.930]  And that was pretty
[34:33.930 --> 34:34.810]  instantaneous.
[34:35.330 --> 34:36.230]  And now we're down to
[34:36.230 --> 34:37.510]  73 different rows.
[34:37.510 --> 34:38.270]  So there were a lot of
[34:38.270 --> 34:39.190]  different iterations,
[34:39.190 --> 34:41.090]  versions of the site
[34:41.090 --> 34:41.830]  cached.
[34:42.110 --> 34:42.770]  And then what this will
[34:42.770 --> 34:43.630]  do is we can run this
[34:43.630 --> 34:44.610]  next command, we can
[34:44.610 --> 34:45.750]  save it off to Excel so
[34:45.750 --> 34:46.490]  that way we can have
[34:46.490 --> 34:48.030]  our URL listing for
[34:48.030 --> 34:49.150]  future analysis, future
[34:49.150 --> 34:49.830]  loading.
[34:51.050 --> 34:53.470]  And then as we go on,
[34:53.470 --> 34:54.350]  what this will do is
[34:54.350 --> 34:55.430]  if you want to look,
[34:55.430 --> 34:56.990]  this will pull out and
[34:56.990 --> 34:58.350]  only list now our URLs
[34:58.350 --> 34:59.270]  which is what we care
[34:59.270 --> 35:00.090]  about a lot of times,
[35:00.090 --> 35:00.590]  especially if we're
[35:00.590 --> 35:01.510]  trying to scope, we want
[35:01.510 --> 35:02.750]  to do web crawls.
[35:02.750 --> 35:03.510]  And keep in mind that
[35:03.510 --> 35:04.370]  everything that we're
[35:04.370 --> 35:05.230]  showing today, everything
[35:05.230 --> 35:07.570]  is completely 100%
[35:07.570 --> 35:08.130]  passive.
[35:08.130 --> 35:09.370]  We are not touching any
[35:09.370 --> 35:10.110]  of these sites, these
[35:10.110 --> 35:11.170]  webpages or anything.
[35:11.170 --> 35:12.610]  So this is all examples
[35:12.610 --> 35:13.490]  of what you can do,
[35:13.490 --> 35:15.430]  100% passive reconnaissance.
[35:15.430 --> 35:16.430]  So we will never touch
[35:16.590 --> 35:17.590]  a system of any of these
[35:17.590 --> 35:18.250]  domains that we've
[35:18.250 --> 35:18.990]  looked at.
[35:18.990 --> 35:19.990]  And then for next steps
[35:19.990 --> 35:21.230]  then you start, you can
[35:21.230 --> 35:23.170]  start based on scope and
[35:23.170 --> 35:24.270]  allowances and permissions
[35:24.270 --> 35:25.190]  and things like that to
[35:25.190 --> 35:26.430]  get more intrusive as we
[35:26.430 --> 35:28.230]  do further analysis,
[35:28.230 --> 35:28.950]  whether it's from a
[35:28.950 --> 35:29.930]  red teaming perspective
[35:29.930 --> 35:30.990]  or however.
[35:30.990 --> 35:31.790]  But what we have right
[35:31.790 --> 35:33.130]  now is just a listing of
[35:33.930 --> 35:35.230]  URLs and then what this
[35:35.230 --> 35:37.190]  next big section of kind
[35:38.110 --> 35:39.130]  of a lot of, a lot of
[35:39.130 --> 35:40.070]  different functions and
[35:40.070 --> 35:41.210]  code, I mean it's still
[35:41.210 --> 35:42.250]  for, for the value of
[35:42.250 --> 35:43.270]  what this does, it's,
[35:43.270 --> 35:44.170]  it's not too bad in
[35:44.170 --> 35:45.230]  terms of lines.
[35:45.230 --> 35:45.890]  But what this is going
[35:45.890 --> 35:46.850]  to do is it's going to
[35:46.850 --> 35:48.390]  go through now of the
[35:48.390 --> 35:48.770]  query results.
[35:48.770 --> 35:49.930]  So in this case we're
[35:49.930 --> 35:51.270]  dealing with what, like
[35:51.270 --> 35:52.010]  73 records, so it's not
[35:52.010 --> 35:52.330]  that many.
[35:52.330 --> 35:52.870]  But if you were to run
[35:52.870 --> 35:53.970]  something, I think I ran,
[35:53.970 --> 35:55.450]  I think I ran one earlier
[35:55.450 --> 35:56.110]  this year against
[35:56.110 --> 35:59.170]  defcon.org and it came
[35:59.170 --> 36:00.650]  back with about 70,000
[36:00.650 --> 36:01.110]  records.
[36:01.110 --> 36:01.870]  So some of these,
[36:01.870 --> 36:02.690]  there's a lot of data
[36:02.690 --> 36:03.570]  and content out there
[36:03.570 --> 36:04.670]  and it can take some
[36:04.670 --> 36:04.950]  time.
[36:04.950 --> 36:06.010]  And this is where, this
[36:06.010 --> 36:07.290]  is not that efficient,
[36:07.290 --> 36:08.510]  not that streamlined, a
[36:08.510 --> 36:09.430]  lot of improvement
[36:09.430 --> 36:10.350]  opportunity here.
[36:10.350 --> 36:11.710]  But it, it basically
[36:11.710 --> 36:13.210]  searches, it uses a
[36:13.210 --> 36:14.170]  library in Python called
[36:14.170 --> 36:14.890]  Beautiful Soup, which
[36:14.890 --> 36:16.270]  you can parse down
[36:16.270 --> 36:16.590]  HTML.
[36:16.590 --> 36:18.050]  It's great for HTML
[36:18.050 --> 36:18.570]  processing.
[36:18.570 --> 36:20.010]  It has some building
[36:20.010 --> 36:20.950]  capabilities to look for
[36:20.950 --> 36:21.970]  comments and URLs and
[36:21.990 --> 36:22.510]  links.
[36:22.510 --> 36:22.850]  So we're going to start
[36:22.850 --> 36:23.390]  setting this up.
[36:23.390 --> 36:24.410]  And what, I have three
[36:24.410 --> 36:25.370]  parameters that we can
[36:25.370 --> 36:26.590]  pass in, just mostly out
[36:26.590 --> 36:28.850]  of efficiency, is we can,
[36:28.850 --> 36:29.950]  we can say we want to
[36:29.950 --> 36:31.230]  search the files and
[36:31.230 --> 36:32.050]  generally we're going to
[36:32.050 --> 36:33.490]  always want to do that.
[36:33.990 --> 36:35.010]  Do we want to write the
[36:35.010 --> 36:35.290]  files?
[36:35.290 --> 36:36.050]  So what this does is
[36:36.050 --> 36:37.050]  this goes out and it
[36:37.050 --> 36:38.710]  retrieves, well, it's
[36:38.710 --> 36:39.370]  always going to go out
[36:39.370 --> 36:40.470]  and retrieve the files
[36:40.470 --> 36:41.750]  from the S3 buckets, but
[36:41.750 --> 36:42.970]  do we want to write them?
[36:42.970 --> 36:44.150]  So in this case, we're
[36:44.150 --> 36:44.770]  not going to write them
[36:44.770 --> 36:45.590]  for this demo purpose,
[36:45.590 --> 36:46.370]  but you could write it
[36:46.370 --> 36:47.690]  to an S3 bucket.
[36:47.730 --> 36:48.590]  Now you have your HTML
[36:48.590 --> 36:49.530]  files that you can run
[36:49.530 --> 36:50.550]  additional tools and
[36:50.550 --> 36:51.110]  things against.
[36:51.110 --> 36:51.730]  So it's, it's pretty
[36:51.730 --> 36:52.510]  valuable there.
[36:53.150 --> 36:54.090]  And then we can say how
[36:54.090 --> 36:54.730]  many records.
[36:54.730 --> 36:55.650]  So if we just want a
[36:55.650 --> 36:56.970]  subset for testing, if
[36:56.970 --> 36:57.630]  we don't want to pull
[36:57.630 --> 36:58.950]  down all 60,000 at once,
[36:58.950 --> 36:59.990]  we could, we can assign
[36:59.990 --> 37:00.930]  how many records and it
[37:00.930 --> 37:01.850]  will loop through and
[37:01.850 --> 37:03.210]  iterate over and download
[37:03.210 --> 37:04.190]  the number of records we
[37:04.190 --> 37:04.770]  say.
[37:04.770 --> 37:05.870]  And then we, we run
[37:05.870 --> 37:06.770]  this and this function
[37:06.770 --> 37:08.070]  will basically process
[37:08.070 --> 37:08.570]  these.
[37:08.570 --> 37:09.590]  It's going through, you
[37:09.590 --> 37:10.410]  can see I have a
[37:10.410 --> 37:11.170]  counter on it because a
[37:11.170 --> 37:12.190]  lot of times when you're
[37:12.190 --> 37:13.170]  just waiting and you get
[37:13.170 --> 37:13.730]  bored and don't know
[37:13.730 --> 37:15.350]  where it's at, so we
[37:15.350 --> 37:16.170]  can, you can always
[37:16.170 --> 37:16.930]  clean this up so it
[37:16.930 --> 37:17.830]  doesn't iterate every
[37:17.830 --> 37:18.130]  single count.
[37:18.130 --> 37:19.550]  But we've gone through
[37:19.550 --> 37:20.210]  the 73 HTML files we've
[37:20.210 --> 37:21.390]  down, we've processed
[37:21.390 --> 37:21.990]  them as byte
[37:21.990 --> 37:22.670]  strings, we've looked
[37:22.670 --> 37:24.490]  for URLs, the comments,
[37:24.490 --> 37:25.330]  and now we can actually
[37:25.330 --> 37:26.570]  save off the different
[37:27.490 --> 37:28.070]  sections.
[37:28.070 --> 37:28.670]  So we have, we've
[37:28.670 --> 37:29.150]  grabbed all the
[37:29.150 --> 37:30.030]  comments, we've grabbed
[37:30.030 --> 37:31.050]  all the titles, and we've
[37:31.050 --> 37:32.190]  grabbed all the links.
[37:32.410 --> 37:33.470]  So if I run this next
[37:33.470 --> 37:34.310]  one, this is actually
[37:34.310 --> 37:35.450]  going to show you the,
[37:35.810 --> 37:36.870]  the listing of links.
[37:36.870 --> 37:37.730]  And what I, what I like
[37:37.730 --> 37:39.050]  about this is that it
[37:39.050 --> 37:40.190]  actually shows you which
[37:41.230 --> 37:42.270]  website that the links
[37:42.270 --> 37:43.190]  came from as well,
[37:43.190 --> 37:44.090]  which I think is really
[37:44.090 --> 37:44.870]  valuable, especially
[37:44.870 --> 37:45.630]  with sometimes when you
[37:45.630 --> 37:46.370]  do crawls, you don't
[37:46.370 --> 37:47.150]  always know, where did
[37:47.150 --> 37:47.830]  I find this link?
[37:47.830 --> 37:48.450]  Where did this come
[37:48.450 --> 37:48.750]  from?
[37:48.750 --> 37:49.750]  And in this case, it
[37:49.750 --> 37:50.610]  does all of the mapping,
[37:50.610 --> 37:51.410]  so if you start building
[37:51.410 --> 37:52.650]  like a bigger mind map
[37:52.650 --> 37:53.470]  or something of it, you
[37:53.470 --> 37:54.470]  can, you can have some
[37:54.470 --> 37:55.390]  value there.
[37:55.450 --> 37:56.430]  And if we wanted to look
[37:56.430 --> 37:57.610]  at something instead,
[37:57.610 --> 37:58.330]  let's say we wanted to
[37:58.330 --> 37:59.750]  look at the, the
[38:00.750 --> 38:01.870]  comments across it, we
[38:01.870 --> 38:03.850]  can do that, and then
[38:03.850 --> 38:04.650]  we can just print it
[38:04.650 --> 38:05.250]  out.
[38:05.250 --> 38:06.210]  So this will just print
[38:06.210 --> 38:07.710]  out the top, the first
[38:07.710 --> 38:09.090]  10 comments we have.
[38:09.510 --> 38:10.190]  Let's just see what
[38:10.190 --> 38:11.230]  this looks like.
[38:12.490 --> 38:13.570]  And then there's,
[38:13.570 --> 38:14.250]  there's your list of
[38:14.250 --> 38:15.110]  comments that are within
[38:15.110 --> 38:15.770]  the HTML.
[38:15.770 --> 38:16.390]  So as you get this,
[38:16.390 --> 38:17.150]  you can start then
[38:17.150 --> 38:18.370]  further looking through
[38:18.370 --> 38:18.730]  there of, you know,
[38:18.730 --> 38:19.450]  of, are there any
[38:19.450 --> 38:20.030]  secrets, are there
[38:20.030 --> 38:20.950]  passwords, you can do
[38:20.950 --> 38:22.230]  regex, you can, you can
[38:22.230 --> 38:22.950]  do different things in
[38:22.950 --> 38:23.690]  there, so it's, it's
[38:23.690 --> 38:24.490]  pretty neat.
[38:25.670 --> 38:26.850]  I guess that's the,
[38:26.850 --> 38:28.170]  that's the extent right
[38:28.170 --> 38:28.950]  now I think we're going
[38:28.950 --> 38:29.410]  to go through.
[38:29.410 --> 38:30.250]  I started looking into
[38:30.250 --> 38:30.910]  NetworkX.
[38:30.910 --> 38:31.510]  I think there's some
[38:31.510 --> 38:32.530]  promise there in terms of
[38:32.530 --> 38:33.910]  getting a larger map at
[38:33.910 --> 38:34.770]  scale, but I don't have
[38:34.890 --> 38:35.650]  a lot of that code done
[38:35.650 --> 38:37.050]  yet, but a lot I want
[38:37.050 --> 38:37.950]  to build on, especially
[38:37.950 --> 38:38.670]  with this functionality
[38:38.670 --> 38:39.370]  because I think there's
[38:39.370 --> 38:40.950]  so much value from even
[38:40.950 --> 38:42.030]  an automated perspective
[38:42.030 --> 38:43.430]  where now we can tie in
[38:43.430 --> 38:44.290]  additional tools that
[38:44.290 --> 38:44.930]  are really good at
[38:44.930 --> 38:46.090]  HTML processing.
[38:46.090 --> 38:47.150]  We can start to grab
[38:47.150 --> 38:48.230]  JavaScript libraries,
[38:48.230 --> 38:49.310]  codes, external references
[38:49.310 --> 38:50.530]  and all that and do,
[38:50.530 --> 38:51.290]  you can really start
[38:51.290 --> 38:52.290]  building a pretty big
[38:52.290 --> 38:53.890]  map of, of your target
[38:53.890 --> 38:54.870]  surface.
[39:00.710 --> 39:01.950]  Let's jump into another
[39:01.950 --> 39:02.450]  demo.
[39:02.450 --> 39:04.270]  This one is going to
[39:04.270 --> 39:05.330]  search the autonomous
[39:05.330 --> 39:06.490]  system numbers, which is
[39:06.490 --> 39:07.970]  part of generally your
[39:07.970 --> 39:09.130]  reconnaissance methodology
[39:09.130 --> 39:10.230]  of where you want to
[39:10.230 --> 39:11.170]  find out the different
[39:11.170 --> 39:12.390]  site or network ranges
[39:12.390 --> 39:13.570]  that are assigned to
[39:13.570 --> 39:14.810]  different companies.
[39:14.810 --> 39:15.790]  So what you typically do
[39:15.790 --> 39:16.870]  is you would enter in
[39:16.870 --> 39:18.390]  the company name or a
[39:18.390 --> 39:19.750]  keyword for that company
[39:19.750 --> 39:21.110]  and it would return the
[39:21.110 --> 39:22.710]  different site or ranges
[39:22.710 --> 39:23.650]  for that so then you can
[39:23.650 --> 39:24.590]  further do your
[39:24.590 --> 39:25.630]  reconnaissance doing
[39:25.630 --> 39:26.710]  whether you do NMAP
[39:26.710 --> 39:27.670]  scans or any type of
[39:27.670 --> 39:28.410]  searches against those
[39:28.410 --> 39:29.650]  IP ranges.
[39:29.750 --> 39:30.610]  So what this does is
[39:30.610 --> 39:31.830]  this uses the MaxMind
[39:31.830 --> 39:32.970]  databases as well that
[39:32.970 --> 39:33.850]  we talked about earlier
[39:33.850 --> 39:34.850]  with the geolocation
[39:34.850 --> 39:36.390]  data doing that, but
[39:36.390 --> 39:37.670]  this uses their ASN
[39:37.670 --> 39:38.670]  databases.
[39:39.190 --> 39:40.610]  And so part of this is
[39:40.610 --> 39:41.550]  we'll walk down
[39:41.550 --> 39:42.810]  through it all, but
[39:42.810 --> 39:43.950]  what it does is if
[39:43.950 --> 39:44.690]  you're looking here at
[39:44.690 --> 39:45.410]  this Jupyter Notebook
[39:45.410 --> 39:47.530]  now, we go and these
[39:47.530 --> 39:48.630]  first sections actually
[39:48.630 --> 39:49.730]  just prepare everything.
[39:49.730 --> 39:50.630]  So if you want to be
[39:50.630 --> 39:51.450]  able to set this up in
[39:51.450 --> 39:52.430]  an environment where it
[39:52.430 --> 39:53.530]  does it completely
[39:55.410 --> 39:56.250]  automated where it will
[39:56.250 --> 39:56.990]  download.
[39:56.990 --> 39:58.290]  We have the URLs here
[39:59.090 --> 40:00.550]  and you can set this up
[40:00.550 --> 40:01.230]  on your own just by
[40:01.230 --> 40:02.170]  running this notebook so
[40:02.170 --> 40:03.010]  that way you can continue
[40:03.010 --> 40:04.150]  to run tools against
[40:04.150 --> 40:05.490]  it and do and leverage
[40:05.490 --> 40:06.970]  this there because I
[40:06.970 --> 40:08.410]  really want to eliminate
[40:08.410 --> 40:09.450]  all the manual steps
[40:09.450 --> 40:09.930]  possible.
[40:09.930 --> 40:10.670]  So the last thing I want
[40:10.670 --> 40:11.750]  to do is have to log
[40:11.750 --> 40:12.650]  into their website, get
[40:12.650 --> 40:13.770]  the latest database and
[40:13.770 --> 40:14.250]  do.
[40:14.250 --> 40:15.030]  So this will walk you
[40:15.030 --> 40:15.830]  through it.
[40:16.170 --> 40:17.690]  One pretty neat thing
[40:17.690 --> 40:18.630]  about this is that
[40:19.370 --> 40:20.550]  recently they've changed
[40:20.550 --> 40:21.570]  to and you have to have
[40:21.690 --> 40:22.590]  a license key now.
[40:22.590 --> 40:23.610]  It's still free, but you
[40:23.610 --> 40:24.530]  have to log in, register
[40:24.530 --> 40:25.530]  in their portal, get a
[40:25.530 --> 40:27.030]  license secret to be able
[40:27.030 --> 40:28.070]  to download those
[40:28.070 --> 40:28.470]  databases.
[40:28.470 --> 40:29.790]  Now, when I share this
[40:29.790 --> 40:30.730]  code, I don't want my
[40:30.730 --> 40:31.870]  license key in there.
[40:31.870 --> 40:33.070]  That's another benefit
[40:33.070 --> 40:34.810]  of using the cloud and
[40:34.810 --> 40:36.310]  Amazon is that they have
[40:36.310 --> 40:37.930]  a service called
[40:37.930 --> 40:39.110]  Secrets Manager.
[40:39.110 --> 40:40.190]  And what you can do is
[40:40.190 --> 40:41.030]  actually you can call
[40:41.030 --> 40:42.270]  Secrets Manager from
[40:42.270 --> 40:43.690]  your Python code and
[40:43.690 --> 40:44.690]  pull out secrets in
[40:44.690 --> 40:44.970]  store.
[40:44.970 --> 40:46.190]  So as you start to get
[40:46.190 --> 40:48.310]  a big list of different
[40:48.310 --> 40:49.510]  API keys and as you
[40:49.510 --> 40:50.530]  talk about across
[40:50.530 --> 40:50.950]  the cloud, even
[40:51.530 --> 40:52.470]  previously we made a
[40:52.470 --> 40:53.430]  call for the Google
[40:53.430 --> 40:56.030]  Maps API, I pulled the
[40:56.030 --> 40:56.910]  API key that I used
[40:56.910 --> 40:58.690]  for that out of the
[40:58.690 --> 41:00.110]  Secrets Manager within
[41:00.110 --> 41:00.930]  AWS.
[41:00.930 --> 41:03.230]  So this function here
[41:03.230 --> 41:03.990]  is actually what does
[41:03.990 --> 41:04.190]  it.
[41:04.190 --> 41:05.110]  It's in the notebooks.
[41:05.110 --> 41:06.270]  It's in my central
[41:06.270 --> 41:07.210]  notebook because it's
[41:07.350 --> 41:07.570]  reusable.
[41:07.570 --> 41:08.510]  But you just pass in
[41:08.510 --> 41:09.370]  the secret name, the
[41:09.370 --> 41:10.210]  region name, it loads
[41:10.210 --> 41:11.570]  it into here as a
[41:11.570 --> 41:12.070]  variable so that way
[41:12.070 --> 41:12.890]  you don't have to have
[41:12.890 --> 41:13.430]  it in clear text.
[41:13.550 --> 41:14.730]  And it's a security
[41:14.730 --> 41:16.090]  best practice and it's
[41:16.090 --> 41:16.390]  definitely safe if
[41:16.390 --> 41:17.270]  you're putting your
[41:17.270 --> 41:17.830]  code into GitHub and
[41:17.830 --> 41:18.070]  things.
[41:18.070 --> 41:19.270]  So I think as security
[41:19.270 --> 41:20.510]  practitioners anyway,
[41:20.510 --> 41:21.290]  that's just something
[41:21.290 --> 41:22.050]  to get better at
[41:22.050 --> 41:22.830]  because we push our
[41:22.830 --> 41:23.910]  developers to do that.
[41:23.910 --> 41:25.370]  We push a lot of
[41:25.370 --> 41:26.090]  people that we talk
[41:26.090 --> 41:26.830]  to to do that, but
[41:26.830 --> 41:28.050]  it's hard and it
[41:28.050 --> 41:28.910]  takes extra time.
[41:28.910 --> 41:29.630]  So here's kind of
[41:29.630 --> 41:30.430]  just an accelerator
[41:30.430 --> 41:31.250]  that you can copy,
[41:31.250 --> 41:32.290]  paste, use it in your
[41:32.290 --> 41:33.190]  Python code, especially
[41:33.190 --> 41:33.770]  if you're working
[41:33.770 --> 41:35.310]  within a cloud
[41:35.310 --> 41:36.250]  ecosystem.
[41:36.650 --> 41:37.750]  An alternative to
[41:37.750 --> 41:38.870]  that is it's called
[41:38.870 --> 41:40.510]  Pickle and it's a
[41:40.510 --> 41:41.530]  library within Python
[41:41.530 --> 41:42.190]  2 where you can
[41:42.190 --> 41:43.670]  actually save files
[41:43.670 --> 41:43.890]  locally.
[41:43.890 --> 41:44.590]  Now they're just
[41:44.590 --> 41:45.710]  binary files that can
[41:45.710 --> 41:46.950]  get loaded back into
[41:46.950 --> 41:47.490]  Pickle so they're not
[41:47.490 --> 41:48.430]  secured, encrypted,
[41:48.430 --> 41:49.490]  anything like that.
[41:49.490 --> 41:50.290]  But it can at least
[41:50.290 --> 41:51.150]  call it from your
[41:51.150 --> 41:52.170]  operating system rather
[41:52.170 --> 41:54.010]  than pulling it or
[41:54.010 --> 41:55.050]  storing it hard-coded
[41:55.050 --> 41:57.150]  into an environmental
[41:57.150 --> 41:58.270]  variable or within
[41:58.270 --> 41:58.670]  your code.
[41:58.670 --> 42:00.010]  So another option if
[42:00.010 --> 42:00.610]  you don't want to use
[42:00.610 --> 42:01.630]  Secrets Manager.
[42:02.270 --> 42:03.210]  So as we go through
[42:03.210 --> 42:04.090]  this, this all gets
[42:04.090 --> 42:04.570]  set up.
[42:04.570 --> 42:05.150]  I already have all
[42:05.150 --> 42:06.050]  this, but you can see
[42:06.050 --> 42:06.990]  if you put an
[42:06.990 --> 42:07.770]  exclamation mark
[42:07.770 --> 42:09.030]  before any commands,
[42:09.030 --> 42:09.690]  you can actually run
[42:09.690 --> 42:10.730]  Linux commands off of
[42:10.730 --> 42:11.930]  this and SageMaker's
[42:11.930 --> 42:13.010]  running in the back
[42:13.010 --> 42:14.130]  end of a Linux server.
[42:14.130 --> 42:15.350]  So you can do a lot
[42:15.350 --> 42:16.110]  of that too, which is
[42:16.110 --> 42:17.110]  pretty neat from a
[42:17.110 --> 42:18.270]  flexibility standpoint.
[42:18.270 --> 42:19.110]  So this manipulates
[42:19.650 --> 42:21.150]  all your data, does a
[42:21.150 --> 42:22.670]  WGET, pulls it all
[42:22.670 --> 42:23.570]  down, goes through
[42:23.570 --> 42:25.090]  that process, does a
[42:25.090 --> 42:26.250]  cleanup.
[42:26.250 --> 42:27.870]  I hate having files
[42:27.870 --> 42:28.670]  just sitting on my
[42:28.670 --> 42:29.390]  computer that I don't
[42:29.390 --> 42:30.110]  need or want.
[42:30.110 --> 42:30.650]  So whenever you
[42:30.650 --> 42:31.490]  unzip this, this will
[42:31.490 --> 42:32.770]  do all the cleanup for
[42:32.770 --> 42:34.330]  you, loads it into a
[42:34.330 --> 42:34.930]  directory, and then
[42:34.930 --> 42:36.670]  now you have your
[42:36.670 --> 42:36.890]  files.
[42:36.890 --> 42:37.610]  So what we're going
[42:37.610 --> 42:40.450]  to do is we're going
[42:40.450 --> 42:41.650]  to actually start on
[42:41.650 --> 42:42.370]  down here because
[42:42.370 --> 42:46.450]  what's neat about this
[42:46.450 --> 42:47.090]  is we can run all
[42:45.110 --> 42:46.110]  We're going to
[42:47.090 --> 42:48.410]  do this after we have
[42:48.410 --> 42:49.330]  everything set up with
[42:49.330 --> 42:50.430]  just, what is this,
[42:50.430 --> 42:51.210]  like 10 lines of
[42:51.210 --> 42:51.590]  code.
[42:51.590 --> 42:52.870]  So it's actually pretty
[42:52.870 --> 42:53.770]  straightforward to do
[42:53.770 --> 42:54.050]  this.
[42:54.050 --> 42:54.710]  And you can start to
[42:54.710 --> 42:55.590]  automate it then by
[42:55.590 --> 42:56.590]  passing in variables,
[42:56.590 --> 42:57.250]  call this from other
[42:57.250 --> 42:58.390]  functions from a
[42:58.390 --> 42:59.570]  reconnaissance standpoint.
[42:59.570 --> 43:01.890]  I'm going to restart,
[43:01.890 --> 43:02.790]  reset our variables so
[43:02.790 --> 43:04.610]  we don't have any
[43:04.610 --> 43:05.310]  existing output.
[43:05.310 --> 43:06.370]  So you'll see this
[43:06.370 --> 43:07.030]  cleanup.
[43:07.030 --> 43:07.450]  Okay, so now what
[43:07.450 --> 43:08.030]  we're going to do is
[43:08.030 --> 43:09.250]  we're going to leverage
[43:09.250 --> 43:10.430]  Microsoft again as our
[43:10.430 --> 43:11.050]  example, and we're
[43:11.050 --> 43:11.870]  going to search their
[43:11.870 --> 43:12.490]  org for their numbers.
[43:12.490 --> 43:13.710]  So we're going to go
[43:13.710 --> 43:14.490]  ahead and run this.
[43:15.570 --> 43:16.670]  And what it's doing is
[43:16.670 --> 43:17.890]  it's actually calling
[43:17.890 --> 43:18.850]  out, pulling in the
[43:18.850 --> 43:20.010]  max mine, searching for
[43:20.010 --> 43:20.790]  it, and then it comes
[43:20.790 --> 43:21.290]  back.
[43:21.290 --> 43:22.970]  And it went through,
[43:22.970 --> 43:24.090]  it looks like the
[43:24.090 --> 43:25.090]  latest row that had
[43:25.090 --> 43:25.810]  Microsoft in was
[43:25.810 --> 43:26.950]  430,000.
[43:26.950 --> 43:28.210]  So it went through a
[43:28.210 --> 43:28.910]  considerable amount of
[43:28.910 --> 43:30.530]  data for this, came
[43:30.530 --> 43:31.230]  back, and then it
[43:31.230 --> 43:32.050]  loaded it all into a
[43:32.050 --> 43:32.470]  data frame.
[43:32.470 --> 43:33.550]  So we have all of the
[43:33.550 --> 43:36.110]  entries for Microsoft's
[43:36.110 --> 43:37.590]  CIDR ranges into
[43:37.590 --> 43:38.130]  there.
[43:38.130 --> 43:38.870]  So now what we can
[43:38.870 --> 43:40.310]  do is we can write
[43:40.310 --> 43:42.070]  that to a CSV file,
[43:42.070 --> 43:43.330]  or we can start to
[43:43.330 --> 43:43.790]  parse and manipulate
[43:43.790 --> 43:43.970]  and pull it into the
[43:43.970 --> 43:45.030]  next lineup if maybe
[43:45.030 --> 43:46.130]  you want to now kick
[43:46.130 --> 43:47.050]  off NMAP scans
[43:47.050 --> 43:47.830]  automatically, you
[43:47.830 --> 43:48.450]  could leverage this
[43:48.450 --> 43:49.290]  data and do, because
[43:49.290 --> 43:50.250]  it's normalized.
[43:50.910 --> 43:52.410]  So this actually wrote
[43:52.410 --> 43:54.150]  it to my, back to my
[43:54.150 --> 43:55.610]  recon page that's
[43:55.610 --> 43:56.990]  that static S3 site.
[43:56.990 --> 43:58.010]  So now I can have a
[43:58.010 --> 43:59.410]  list of here's the
[43:59.410 --> 44:00.010]  output of the
[44:00.010 --> 44:00.650]  different CIDR ranges.
[44:00.650 --> 44:01.310]  So I can just kind of
[44:01.310 --> 44:02.610]  see what I'm doing on
[44:02.610 --> 44:03.710]  an overview of it.
[44:03.710 --> 44:04.630]  So it's kind of neat
[44:04.630 --> 44:05.530]  too that collectively
[44:05.530 --> 44:06.230]  you can kind of now
[44:06.230 --> 44:07.090]  have this dashboard
[44:07.090 --> 44:07.850]  that you can watch as
[44:07.850 --> 44:08.970]  you do your own
[44:09.830 --> 44:10.750]  reconnaissance and
[44:10.750 --> 44:11.610]  bug bounty or anything
[44:11.610 --> 44:12.470]  that you're doing.
[44:12.470 --> 44:13.150]  And it's kind of fun
[44:13.150 --> 44:14.010]  to see that.
[44:14.570 --> 44:15.470]  So that's, that's
[44:15.470 --> 44:16.390]  really that demo.
[44:16.390 --> 44:17.650]  And then it actually,
[44:17.650 --> 44:18.610]  we can look at the
[44:18.610 --> 44:19.070]  org too.
[44:19.070 --> 44:20.970]  So we see it's 8075.
[44:20.970 --> 44:21.490]  So if we want to
[44:21.490 --> 44:22.750]  search for that org
[44:22.750 --> 44:23.490]  number in case the
[44:23.490 --> 44:24.170]  name's different or
[44:24.170 --> 44:25.230]  anything, we just swap
[44:25.230 --> 44:25.550]  out.
[44:25.550 --> 44:26.650]  And it actually ran
[44:26.650 --> 44:27.870]  both, but I'm going to
[44:27.870 --> 44:28.590]  comment it out so you
[44:28.590 --> 44:29.370]  can just see the results
[44:29.370 --> 44:29.890]  and we run that
[44:29.890 --> 44:30.790]  against it and we
[44:30.790 --> 44:32.330]  should have the output
[44:32.330 --> 44:33.210]  of the org number
[44:33.210 --> 44:34.330]  pretty quickly too.
[44:34.330 --> 44:34.990]  So you can see the
[44:34.990 --> 44:35.970]  orgs and it just
[44:35.970 --> 44:36.750]  happens they all have
[44:36.750 --> 44:37.430]  Microsoft in them
[44:37.430 --> 44:38.250]  anyway, but that's
[44:38.250 --> 44:38.990]  just another option
[44:38.990 --> 44:40.090]  you can always do.
[44:48.780 --> 44:49.540]  All right.
[44:49.540 --> 44:50.720]  So let's take a look
[44:50.720 --> 44:51.760]  at two more quick
[44:51.760 --> 44:53.060]  demos and one of
[44:53.060 --> 44:53.680]  these and you'll,
[44:53.680 --> 44:54.660]  you'll pretty much
[44:54.660 --> 44:55.540]  hear from me over
[44:55.540 --> 44:56.260]  and over, especially
[44:56.260 --> 44:56.880]  if you worked with
[44:56.880 --> 44:58.200]  me of how much that
[44:58.200 --> 44:59.080]  I don't like to do
[44:59.080 --> 44:59.860]  manual effort in
[44:59.860 --> 45:01.040]  spreadsheets or CSV
[45:01.040 --> 45:02.520]  files and, and from
[45:02.680 --> 45:03.420]  a metrics perspective,
[45:03.420 --> 45:04.440]  how can I completely
[45:04.440 --> 45:05.080]  automate it?
[45:05.080 --> 45:05.780]  And the whole basis
[45:05.780 --> 45:06.680]  of this talk is around
[45:06.680 --> 45:07.840]  automating those manual
[45:07.840 --> 45:08.820]  mundane things that
[45:08.820 --> 45:09.860]  just take time away
[45:09.860 --> 45:10.880]  that we should always
[45:10.880 --> 45:11.880]  have almost in real
[45:11.880 --> 45:12.740]  time or at least
[45:12.740 --> 45:13.880]  near real time metrics
[45:13.880 --> 45:14.680]  and data points that
[45:14.680 --> 45:15.700]  we can have.
[45:15.700 --> 45:17.660]  So I, I hate
[45:17.660 --> 45:18.460]  using Excel
[45:18.460 --> 45:19.240]  spreadsheets and
[45:19.240 --> 45:20.500]  building graphs and
[45:20.500 --> 45:21.380]  charts off of those.
[45:21.380 --> 45:22.100]  Now I'm fine with
[45:22.100 --> 45:23.220]  updating them and
[45:23.220 --> 45:24.100]  keeping them as kind
[45:24.100 --> 45:24.560]  of how do you
[45:24.560 --> 45:25.580]  maintain different
[45:25.580 --> 45:27.000]  components, but one
[45:27.000 --> 45:27.620]  of the neat things
[45:27.620 --> 45:28.460]  about pandas is
[45:28.460 --> 45:29.640]  literally you can, you
[45:29.640 --> 45:30.700]  can import Excel
[45:31.420 --> 45:32.180]  spreadsheets with
[45:32.180 --> 45:33.540]  literally one single
[45:33.540 --> 45:34.180]  command.
[45:34.540 --> 45:36.820]  And so when, when
[45:36.820 --> 45:37.640]  you can do that, it's
[45:37.640 --> 45:38.640]  so easy to do.
[45:38.640 --> 45:40.120]  I figured, of course,
[45:40.120 --> 45:41.100]  we have to be thinking
[45:41.100 --> 45:41.760]  about security
[45:41.760 --> 45:42.520]  awareness. Security
[45:42.520 --> 45:43.200]  awareness should always
[45:43.200 --> 45:43.900]  be in the back of our
[45:43.900 --> 45:44.400]  mind. So when we're
[45:44.400 --> 45:45.160]  working with coworkers
[45:45.160 --> 45:47.160]  ourselves, I, so what
[45:47.160 --> 45:47.980]  I did was I took the
[45:47.980 --> 45:48.820]  step and I said, yeah,
[45:48.820 --> 45:50.060]  absolutely. We need a
[45:50.060 --> 45:51.040]  mask for that. So as
[45:51.040 --> 45:51.940]  we're working in
[45:51.940 --> 45:52.640]  quarantine, when we're
[45:52.640 --> 45:53.720]  on our Zoom calls with
[45:53.720 --> 45:55.140]  our peers, I created
[45:55.140 --> 45:55.760]  these masks that you
[45:55.760 --> 45:57.100]  can pick up, definitely
[45:57.100 --> 45:58.280]  support, pay the, pay
[45:58.280 --> 46:00.040]  the AWS bills for this,
[46:00.040 --> 46:01.160]  but remind your,
[46:01.160 --> 46:01.980]  remind your coworkers
[46:01.980 --> 46:03.260]  on your Zoom calls
[46:03.260 --> 46:04.220]  that they need to
[46:04.220 --> 46:05.180]  modernize, they need
[46:05.180 --> 46:06.280]  to codify and they
[46:06.280 --> 46:07.340]  need to automate. So
[46:07.340 --> 46:09.100]  I, I recommend pop
[46:09.100 --> 46:10.320]  these on, show that,
[46:10.320 --> 46:10.860]  rock these out as
[46:10.860 --> 46:11.860]  you're, as you're in
[46:11.860 --> 46:12.980]  your Zoom calls and
[46:12.980 --> 46:13.520]  just remind people
[46:13.520 --> 46:13.700]  that we need to
[46:13.700 --> 46:14.500]  we need to move
[46:14.500 --> 46:15.340]  faster. We need to be
[46:15.340 --> 46:16.020]  more efficient. We
[46:16.020 --> 46:16.800]  need to automate,
[46:16.800 --> 46:18.020]  codify and move
[46:18.020 --> 46:19.620]  forward. So as we go,
[46:19.620 --> 46:20.920]  as we go into this,
[46:21.300 --> 46:22.200]  let's, let's check
[46:22.200 --> 46:23.160]  this out. So we're
[46:23.160 --> 46:24.060]  going to, we're going
[46:24.060 --> 46:24.740]  to do this one. This
[46:24.740 --> 46:26.060]  is BSIM. So it's
[46:26.060 --> 46:26.500]  called building
[46:26.500 --> 46:27.340]  security and maturity
[46:27.340 --> 46:29.000]  model. It's one of
[46:29.000 --> 46:29.700]  the methodologies
[46:29.700 --> 46:30.420]  around application
[46:30.420 --> 46:31.260]  security. So if
[46:31.260 --> 46:31.800]  you're building an
[46:31.800 --> 46:32.580]  application security
[46:32.580 --> 46:33.920]  program, trying to
[46:33.920 --> 46:34.520]  measure how you're
[46:34.520 --> 46:35.660]  doing, this is one of
[46:35.660 --> 46:36.340]  the models that you
[46:36.340 --> 46:37.420]  can leverage and do.
[46:37.420 --> 46:38.240]  So all this does is
[46:38.240 --> 46:39.500]  really it imports it.
[46:39.500 --> 46:40.260]  And this is what I've
[46:40.260 --> 46:41.100]  used to measure
[46:41.100 --> 46:42.220]  programs against over
[46:42.220 --> 46:42.820]  the years. And I
[46:42.820 --> 46:44.100]  really like it. I'm a
[46:44.100 --> 46:45.220]  big advocate, big fan
[46:45.220 --> 46:46.820]  of BSIM. So what we
[46:46.820 --> 46:47.660]  can do is we can
[46:47.660 --> 46:48.540]  actually load this
[46:49.320 --> 46:50.000]  spreadsheet within
[46:50.440 --> 46:51.140]  just a moment. And
[46:51.140 --> 46:51.880]  this is just a
[46:51.880 --> 46:52.600]  spreadsheet too. So
[46:52.600 --> 46:53.220]  even though we're
[46:53.220 --> 46:54.320]  working, we've shown
[46:54.320 --> 46:56.320]  massive data sets of
[46:56.320 --> 46:57.320]  terabytes and
[46:57.320 --> 46:57.840]  gigabytes of data
[46:57.840 --> 46:58.720]  we've been processing.
[46:58.720 --> 46:59.980]  You can use this for
[46:59.980 --> 47:00.820]  just like single
[47:00.820 --> 47:01.660]  megabyte spreadsheets
[47:01.660 --> 47:02.620]  as well and still
[47:02.620 --> 47:03.420]  automate and do. So
[47:03.420 --> 47:04.600]  this loads it in. We
[47:04.600 --> 47:05.300]  can see, and this is
[47:05.300 --> 47:06.420]  kind of from a metric
[47:06.420 --> 47:07.560]  scorecard dashboard
[47:07.720 --> 47:08.480]  standpoint. And it's
[47:08.480 --> 47:09.340]  also in GitHub. So we
[47:09.340 --> 47:09.760]  can check this out
[47:09.760 --> 47:10.720]  outside of this
[47:10.720 --> 47:12.060]  presentation as well.
[47:12.320 --> 47:13.140]  And then let's say
[47:13.140 --> 47:13.820]  we want to keep
[47:13.820 --> 47:14.720]  dashboards just for
[47:14.720 --> 47:15.400]  our management, our
[47:15.400 --> 47:16.260]  leadership of the
[47:16.260 --> 47:17.100]  scores. You literally
[47:17.100 --> 47:17.940]  can just run this
[47:17.940 --> 47:19.280]  command as you update,
[47:19.280 --> 47:20.140]  have your team members
[47:20.140 --> 47:21.100]  update spreadsheets as
[47:21.100 --> 47:22.020]  you complete a project
[47:22.020 --> 47:23.580]  or a program. And
[47:23.580 --> 47:24.080]  then you can have
[47:24.080 --> 47:24.960]  your spider charts that
[47:24.960 --> 47:25.620]  show kind of where
[47:25.620 --> 47:26.120]  you're at in the
[47:26.120 --> 47:27.360]  maturity loop, where
[47:27.360 --> 47:28.220]  you want to be, where
[47:28.220 --> 47:28.920]  you're at. And these
[47:28.920 --> 47:29.440]  are kind of
[47:29.440 --> 47:30.280]  interactive. You can
[47:30.280 --> 47:31.920]  overlay these and
[47:31.920 --> 47:33.720]  they measure based on
[47:33.720 --> 47:34.680]  how BSIM actually
[47:34.680 --> 47:35.800]  measures of how high
[47:35.800 --> 47:36.320]  you are in the
[47:36.320 --> 47:37.680]  quadrants. So just
[47:37.680 --> 47:39.540]  one cool example
[47:39.540 --> 47:40.080]  that's pretty
[47:40.080 --> 47:40.840]  lightweight. Here's
[47:40.840 --> 47:41.980]  your output chart of
[47:41.980 --> 47:42.580]  you can see where
[47:42.580 --> 47:43.320]  you're currently at,
[47:43.320 --> 47:44.520]  where your target is,
[47:44.520 --> 47:44.940]  and how you're
[47:44.940 --> 47:45.660]  progressing. So you
[47:45.660 --> 47:46.400]  can kind of build on
[47:46.400 --> 47:47.020]  this and think about
[47:47.020 --> 47:47.460]  all the different
[47:47.460 --> 47:48.260]  metrics, spreadsheets
[47:48.260 --> 47:49.380]  you have. That's
[47:49.380 --> 47:50.380]  literally one line of
[47:50.380 --> 47:51.060]  code that you can
[47:51.060 --> 47:52.180]  pull in an Excel
[47:52.180 --> 47:53.360]  spreadsheet into a
[47:53.360 --> 47:54.940]  pandas data frame and
[47:55.060 --> 47:55.740]  manipulate. And then
[47:55.740 --> 47:56.680]  you never have to do
[47:56.680 --> 47:57.200]  this again. I mean,
[47:57.200 --> 47:57.920]  that took two
[47:57.920 --> 47:58.860]  seconds to run the
[47:58.860 --> 48:00.500]  latest, greatest
[48:00.500 --> 48:01.720]  metrics around an
[48:01.720 --> 48:02.480]  application security
[48:02.480 --> 48:04.160]  program measurement.
[48:04.160 --> 48:04.400]  Here's another
[48:04.400 --> 48:06.440]  example just with a
[48:06.440 --> 48:08.600]  CSV of the CVE
[48:08.600 --> 48:09.240]  library. So it's a
[48:09.240 --> 48:09.880]  data set where you
[48:09.880 --> 48:11.060]  can go actually to
[48:11.060 --> 48:12.400]  MITRE's website. You
[48:12.400 --> 48:13.920]  can download the
[48:13.920 --> 48:14.620]  historical in a
[48:14.620 --> 48:16.060]  CSV format, all of
[48:16.060 --> 48:17.760]  them. So I've
[48:17.760 --> 48:18.440]  already kind of
[48:18.440 --> 48:19.260]  taken the approach
[48:19.260 --> 48:21.980]  of that. We can
[48:21.980 --> 48:22.660]  download the file
[48:22.660 --> 48:24.780]  and we can actually
[48:24.780 --> 48:25.560]  just import it into
[48:25.560 --> 48:26.960]  a data frame. So
[48:26.960 --> 48:28.920]  these few lines of
[48:28.920 --> 48:30.100]  code here will
[48:32.000 --> 48:32.980]  walk through and
[48:32.980 --> 48:33.860]  it loads up
[48:33.860 --> 48:34.380]  176,000 different
[48:29.400 --> 48:30.400]  code that you can
[48:34.380 --> 48:37.000]  use. So if you ever
[48:37.000 --> 48:37.460]  wanted to do
[48:37.460 --> 48:38.240]  analytics around
[48:38.240 --> 48:39.360]  those, trying to
[48:39.360 --> 48:40.200]  look at group by
[48:40.200 --> 48:41.000]  how many were
[48:41.000 --> 48:42.680]  issued per year,
[48:42.680 --> 48:43.480]  you can get this.
[48:43.480 --> 48:43.860]  You can run it
[48:43.860 --> 48:44.600]  pretty quickly. So
[48:44.600 --> 48:45.340]  over the past 20
[48:45.340 --> 48:46.100]  years, you can see
[48:46.100 --> 48:46.980]  how the counts
[48:46.980 --> 48:47.500]  have increased
[48:47.500 --> 48:49.820]  over time. You
[48:49.820 --> 48:51.140]  can look at which
[48:51.140 --> 48:51.960]  months are busiest
[48:51.960 --> 48:52.960]  with CVs. Why do
[48:52.960 --> 48:53.500]  you feel like you're
[48:53.500 --> 48:54.220]  always working over
[48:54.220 --> 48:55.400]  the holidays? You
[48:55.400 --> 48:56.020]  can kind of use
[48:56.020 --> 48:56.860]  this to compare and
[48:56.860 --> 48:57.800]  forecast where you're
[48:57.800 --> 48:58.340]  going to most
[48:58.340 --> 48:58.980]  likely have more
[48:58.980 --> 48:59.580]  patch management
[48:59.580 --> 49:00.820]  resourcing needed
[49:00.820 --> 49:01.740]  in different things.
[49:01.740 --> 49:02.540]  So kind of cool
[49:02.540 --> 49:03.120]  insights that you
[49:03.120 --> 49:03.860]  can share and
[49:03.860 --> 49:04.900]  kind of make it
[49:04.900 --> 49:05.360]  actually as
[49:05.360 --> 49:06.140]  data-driven
[49:06.780 --> 49:07.600]  background and
[49:07.600 --> 49:08.660]  back you up on
[49:08.660 --> 49:10.240]  why certain things
[49:10.240 --> 49:10.940]  are happening. And
[49:10.940 --> 49:12.580]  I think as we go
[49:12.580 --> 49:13.600]  and build programs
[49:13.600 --> 49:14.700]  and security, we
[49:14.700 --> 49:15.320]  should always think
[49:15.320 --> 49:16.180]  in terms of
[49:16.180 --> 49:16.660]  data-driven
[49:16.660 --> 49:19.280]  mindset. The
[49:19.280 --> 49:19.860]  other neat thing
[49:19.860 --> 49:21.580]  is you can load
[49:21.580 --> 49:22.400]  additional libraries.
[49:22.400 --> 49:22.980]  So this actually
[49:22.980 --> 49:23.980]  loads Bokeh,
[49:23.980 --> 49:25.240]  which is a
[49:25.240 --> 49:25.980]  charting tool,
[49:25.980 --> 49:27.220]  a graphing tool
[49:27.220 --> 49:27.960]  within Python,
[49:27.960 --> 49:28.360]  which is used
[49:28.820 --> 49:29.820]  pretty commonly
[49:28.360 --> 49:29.260]  across the scientific
[49:29.260 --> 49:30.660]  computing community
[49:30.660 --> 49:32.020]  as well. And
[49:32.020 --> 49:32.580]  you can also
[49:32.580 --> 49:33.240]  write these to
[49:33.240 --> 49:34.160]  interactive websites
[49:34.160 --> 49:34.740]  and things so you
[49:34.740 --> 49:35.280]  can show the
[49:35.280 --> 49:35.920]  dynamics. So you
[49:35.920 --> 49:36.600]  can start to chart
[49:36.600 --> 49:37.200]  these out, you can
[49:37.200 --> 49:38.020]  graph, you can save
[49:38.020 --> 49:38.720]  them, you can load
[49:38.720 --> 49:39.780]  them, you can do.
[49:39.780 --> 49:40.460]  So just a couple
[49:40.460 --> 49:41.220]  lines of code,
[49:41.220 --> 49:42.360]  repeatable, reusable,
[49:42.360 --> 49:42.940]  and you can build
[49:42.940 --> 49:43.780]  these that you can
[49:43.780 --> 49:44.700]  just use over and
[49:44.700 --> 49:45.280]  over again. So
[49:45.280 --> 49:46.680]  tons of efficiency
[49:46.680 --> 49:47.460]  gain, tons of
[49:47.460 --> 49:49.340]  opportunities to do
[49:49.340 --> 49:50.320]  so. I definitely
[49:51.300 --> 49:52.100]  recommend grasping
[49:52.100 --> 49:53.820]  that. Don't do
[49:53.820 --> 49:54.540]  manual work in
[49:54.540 --> 49:55.180]  spreadsheets anymore
[49:55.180 --> 49:55.820]  other than maybe
[49:55.820 --> 49:56.800]  just populating data
[49:56.800 --> 49:57.520]  or loading it from
[49:57.520 --> 49:58.960]  an API, but leverage
[49:58.960 --> 49:59.960]  it in code and
[49:59.960 --> 50:01.380]  automate your things.
[50:06.730 --> 50:07.810]  As we wrap up
[50:07.810 --> 50:09.270]  this presentation, I
[50:09.270 --> 50:09.970]  forgot to mention
[50:09.970 --> 50:10.930]  that as you build
[50:10.930 --> 50:11.870]  this automation, you
[50:11.870 --> 50:13.150]  have services running,
[50:13.150 --> 50:14.170]  it's really easy with
[50:14.170 --> 50:15.350]  the cloud to build
[50:15.350 --> 50:16.190]  your SNS
[50:16.190 --> 50:17.190]  notifications. So
[50:17.190 --> 50:17.850]  these are simple
[50:17.850 --> 50:19.010]  notification services
[50:19.010 --> 50:20.130]  and you can text
[50:20.130 --> 50:20.810]  yourself, give
[50:20.810 --> 50:21.770]  yourself reminders,
[50:21.770 --> 50:22.510]  let you know where
[50:22.510 --> 50:23.390]  the progress is in
[50:23.390 --> 50:24.330]  any of the processes
[50:24.330 --> 50:25.150]  that you're running.
[50:25.150 --> 50:26.450]  So definitely a
[50:26.450 --> 50:27.330]  handy snippet of
[50:27.330 --> 50:28.210]  code to really
[50:28.210 --> 50:28.470]  leverage and
[50:28.470 --> 50:29.630]  utilize to your
[50:29.630 --> 50:31.230]  advantage. The other
[50:31.230 --> 50:32.070]  part that I wanted to
[50:32.070 --> 50:32.750]  mention is we've
[50:32.750 --> 50:33.610]  looked a lot about
[50:33.610 --> 50:34.650]  kind of red teaming
[50:34.650 --> 50:35.930]  techniques and
[50:35.930 --> 50:36.560]  passive reconnaissance
[50:37.070 --> 50:38.170]  in doing this, but
[50:38.170 --> 50:38.790]  what I want you to
[50:38.790 --> 50:39.530]  think about is if
[50:39.530 --> 50:40.290]  you're in an
[50:40.290 --> 50:41.170]  information security
[50:41.170 --> 50:42.050]  program right now
[50:42.050 --> 50:43.750]  working, look at this
[50:43.750 --> 50:44.490]  from a holistic
[50:44.490 --> 50:45.330]  standpoint of how
[50:45.330 --> 50:46.210]  can you help out the
[50:46.210 --> 50:47.230]  other InfoSec domains
[50:47.230 --> 50:48.050]  that you work side
[50:48.050 --> 50:48.970]  by side along,
[50:48.970 --> 50:50.090]  whether you're in
[50:50.090 --> 50:51.010]  vulnerability risk
[50:51.010 --> 50:51.790]  management, whether
[50:51.790 --> 50:53.510]  you're in third
[50:53.510 --> 50:54.690]  party, whether
[50:54.690 --> 50:55.950]  you're in a
[50:55.950 --> 50:57.090]  cyber fusion center,
[50:57.090 --> 50:57.690]  you're doing security
[50:57.690 --> 50:58.430]  engineering or
[50:58.430 --> 50:59.270]  architecture. Think
[50:59.270 --> 51:00.190]  about those outputs
[51:00.190 --> 51:01.870]  and inputs and how
[51:01.870 --> 51:02.930]  can you better take
[51:02.930 --> 51:04.170]  the data that you're
[51:04.170 --> 51:04.930]  generating within
[51:04.930 --> 51:06.190]  your department and
[51:06.190 --> 51:06.690]  how can you
[51:06.690 --> 51:07.570]  normalize it and
[51:07.570 --> 51:08.730]  pass it on to make
[51:08.730 --> 51:10.070]  maybe the risk
[51:10.070 --> 51:10.990]  management team help
[51:10.990 --> 51:11.710]  them make better
[51:11.710 --> 51:12.930]  decisions, have better
[51:12.930 --> 51:13.890]  normalized data that
[51:13.890 --> 51:14.830]  they can process and
[51:14.830 --> 51:16.030]  do. So think about
[51:16.030 --> 51:16.930]  those gaps and I
[51:16.930 --> 51:17.290]  think that's
[51:17.290 --> 51:17.850]  somewhere that you
[51:17.850 --> 51:18.730]  can really accelerate
[51:18.730 --> 51:20.430]  in your career and
[51:20.430 --> 51:21.170]  it's a gap that we
[51:21.170 --> 51:21.970]  have of where we're
[51:21.970 --> 51:22.670]  really good at
[51:22.670 --> 51:23.570]  building out and
[51:23.570 --> 51:24.830]  ensuring individual
[51:24.830 --> 51:25.710]  silos within
[51:25.710 --> 51:27.070]  information security.
[51:27.170 --> 51:27.850]  But if you can start
[51:27.850 --> 51:28.910]  to show from a
[51:28.910 --> 51:29.870]  career perspective how
[51:29.870 --> 51:30.990]  you can branch and
[51:30.990 --> 51:31.570]  understand kind of
[51:31.570 --> 51:32.550]  what are the value
[51:32.550 --> 51:32.990]  statements, what are
[51:32.990 --> 51:33.850]  the objectives of
[51:33.850 --> 51:34.670]  these different
[51:34.670 --> 51:35.250]  departments within
[51:35.250 --> 51:36.570]  your program, that's
[51:36.570 --> 51:37.110]  where I think you
[51:37.110 --> 51:38.090]  can really accelerate
[51:38.630 --> 51:39.710]  in places that you
[51:39.710 --> 51:40.930]  can really, I guess,
[51:40.930 --> 51:42.070]  just build and
[51:42.070 --> 51:43.850]  extensify your career.
[51:43.850 --> 51:44.610]  So I encourage you
[51:44.610 --> 51:45.370]  to take these
[51:45.370 --> 51:46.210]  principles, these
[51:46.210 --> 51:46.970]  platforms, these
[51:46.970 --> 51:48.190]  topics that we've
[51:48.190 --> 51:48.850]  talked about and
[51:48.850 --> 51:49.650]  start applying them
[51:49.650 --> 51:50.590]  to your daily jobs
[51:50.590 --> 51:52.370]  and I think you'll
[51:52.370 --> 51:53.010]  see some great
[51:53.710 --> 51:54.710]  success. And again,
[51:53.010 --> 51:53.990]  I really appreciate
[51:53.990 --> 51:54.750]  the time today. I
[51:54.750 --> 51:55.650]  hope that you've
[51:55.650 --> 51:56.490]  taken something away
[51:56.490 --> 51:57.590]  out of this. Definitely
[51:57.590 --> 51:58.650]  jump into the GitHub.
[51:58.650 --> 51:59.310]  I'm going to be
[51:59.310 --> 52:00.490]  continuing to build
[52:00.490 --> 52:02.290]  out blog posts and
[52:02.290 --> 52:03.390]  code snippets and
[52:03.390 --> 52:04.510]  accelerators in there.
[52:04.510 --> 52:05.990]  So in the weeks and
[52:05.990 --> 52:06.830]  months, definitely
[52:06.830 --> 52:08.510]  push me, help drive
[52:08.510 --> 52:09.450]  me to keep that
[52:09.450 --> 52:10.630]  populated. But I
[52:10.630 --> 52:11.510]  encourage you to
[52:11.510 --> 52:12.590]  definitely reach out
[52:12.590 --> 52:13.070]  if you have any
[52:13.070 --> 52:14.690]  questions as you go.
[52:14.690 --> 52:15.650]  But I appreciate
[52:15.650 --> 52:16.930]  your time and enjoy
[52:16.930 --> 52:17.990]  the rest of the
[52:17.990 --> 52:19.050]  DEF CON and the
[52:19.050 --> 52:20.070]  Red Team Village.
[52:20.070 --> 52:21.970]  And thanks again
[52:21.970 --> 52:22.930]  and have a great
[52:22.930 --> 52:22.990]  day.
[52:22.990 --> 52:23.630]  DR. MICHAEL
[52:23.630 --> 52:23.970]  www.microsoft.com
